Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 04:32
Behavioral task
behavioral1
Sample
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe
Resource
win10v2004-20220901-en
General
-
Target
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe
-
Size
7KB
-
MD5
0e23d1a8ca65a4067e50718305cd8956
-
SHA1
3d85d49bc151777e6553953dadd798fea00a8d15
-
SHA256
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211
-
SHA512
83ff6076fe686313f5872371f3ca719d8fca460fca4f83e42c458b6644ae605bf7e36c0e7a9d9d473bcb86cda05c6c4953a493d79e0a5e9612e55e43389b9eba
-
SSDEEP
192:Szdrr1FG1WDCgmjPZUy9mNIFM5wQGyMUA:Sprr1gkDCgSMIFMVXMB
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3564-133-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 3 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Processes:
resource yara_rule behavioral2/memory/3564-132-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/3564-133-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e2I44i200Tf2UUn.exe" d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Drops file in System32 directory 64 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_07b64df61e783bfe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_0b96cc4cfeb2cbf8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_36a71a022d8bb0bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\ru-RU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_20c8782372e47bd2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_911a60fb265ff111\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_9658f2eb83f061c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_26dc960cc4c84207\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_162bb49f925c6463\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_161e1375bcff85d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid4.inf_amd64_65ab84e9830f6f4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0012\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\intelta.inf_amd64_ba962d801a22973c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisvirtualbus.inf_amd64_e8d548ad6f0a613a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_9a7f42b85c7def50\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\Speech_OneCore\Engines\SR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\smrdisk.inf_amd64_f945aad6094163f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_1183fd0f13045f2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\winrm\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\zh-TW\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_9e5602638617558e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_3d2bbc45931b8232\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\c_61883.inf_amd64_2c1769df23d261a5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\miradisp.inf_amd64_14cd3615d012fdf0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\audioendpoint.inf_amd64_4fc4a632c1490033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\c_pnpprinters.inf_amd64_0c653d53a35b896c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\c_processor.inf_amd64_4431cc603de6e020\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_46a3b42507e9d29e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\InstallShield\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\smartsamd.inf_amd64_2238284d493e89f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_b616bed30e8928ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_186702cd081cddb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0005\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-400.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-200.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-200.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-150.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-150.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-black.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-256.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-125.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-200_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-400.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-unplated.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-150.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-125.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-180.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SoftLandingAssetLight.gif d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\Common Files\Services\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-200.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Drops file in Windows directory 64 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process File created C:\Windows\PrintDialog\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.746_none_937e52b9922bd791\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-white.searchapp_31bf3856ad364e35_10.0.19041.1_none_2f147508fcb33106\AppListIcon.targetsize-96.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-devicemanagement-iri_31bf3856ad364e35_10.0.19041.546_none_b425ac75ebed1813\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-directx-warp10_31bf3856ad364e35_10.0.19041.546_none_c85ceae4b57ba8f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\NetworkProfilesWhite.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Light_Scale-300.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_dual_mdmsupr3.inf_31bf3856ad364e35_10.0.19041.1_none_9d509121d5c7ad2a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-72_altform-unplated.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\serviceworker\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-cng_31bf3856ad364e35_10.0.19041.1202_none_1dab520e105346c7\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-f12app_31bf3856ad364e35_11.0.19041.746_none_9058677ca855be17\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-logginglibraries_31bf3856ad364e35_10.0.19041.746_none_f529c07d28ecf28b\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-defaultprinterprovider_31bf3856ad364e35_10.0.19041.746_none_0c7e285ba09702c9\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_a89196e695076787\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mp3dmod_31bf3856ad364e35_10.0.19041.1_none_a30c376a7909e783\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nalservices-sysprep_31bf3856ad364e35_10.0.19041.1_none_e78aa3d4e79f21f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_dual_acpi.inf_31bf3856ad364e35_10.0.19041.964_none_3d9d158f5b388140\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_7dea1a14d94f7091\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..es-picker-component_31bf3856ad364e35_10.0.19041.906_none_bfcc3d4876fc4c1f\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_c42bf1ebf80a8661\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..rience-api-internal_31bf3856ad364e35_10.0.19041.746_none_dedc2b1c9e353fad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nwifi.resources_31bf3856ad364e35_10.0.19041.1_en-us_c8070434a22590cd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasmanservice_31bf3856ad364e35_10.0.19041.1_none_54aea3c5400609d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\DefaultSystemNotification.contrast-black_scale-100.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_dual_mdmcpq2.inf_31bf3856ad364e35_10.0.19041.1_none_e5c11eb760839dd1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.1023_nb-no_1a9a8ae9acee4716\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-mdmlocalmanagement_31bf3856ad364e35_10.0.19041.789_none_f45ee311420162d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-wmi_31bf3856ad364e35_10.0.19041.746_none_3e7ba09ee41e5f27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..tingshandlers-mouse_31bf3856ad364e35_10.0.19041.1_none_ac28a988f4f92e70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-edp-wpbcreds-library_31bf3856ad364e35_10.0.19041.1_none_9842846a8fd6ee3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-efs-util-library_31bf3856ad364e35_10.0.19041.1_none_fd0a6eeb422c1af6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..installer.resources_31bf3856ad364e35_10.0.19041.1_en-us_8647fe1045d36986\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-onesettings-client_31bf3856ad364e35_10.0.19041.1081_none_66295e7d82f89799\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\Boot\PCAT\pt-BR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..tentdeliverymanager_31bf3856ad364e35_10.0.19041.1_none_6d74897c296d96bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_10.0.19041.1_none_228591433b6cf074\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\prevTab.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\notAFunctionIcon.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_dual_mdmirmdm.inf_31bf3856ad364e35_10.0.19041.985_none_4491852228621c15\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-classic_31bf3856ad364e35_10.0.19041.1_none_474afc3cae0e2e07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\wide.Holographic.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\emulation.html d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-logon-adm_31bf3856ad364e35_10.0.19041.1_none_8b29e3f7feaadedf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeWide310x150.scale-125_contrast-black.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_dual_nete1e3e.inf_31bf3856ad364e35_10.0.19041.1_none_013962e05f5ca163\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-l..languageoverlayutil_31bf3856ad364e35_10.0.19041.546_none_a647e86c9b1725c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_11.0.19041.746_none_b977adcf09e7ef15\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-telephony-phoneom_31bf3856ad364e35_10.0.19041.264_none_c73a0b319d0e14ed\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ager-ghostextension_31bf3856ad364e35_10.0.19041.1_none_6420bfa818ce1255\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_pt-pt_27c484472992a5c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-moricons_31bf3856ad364e35_10.0.19041.1_none_9b0bf5fd83fe7629\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_10.0.19041.867_none_17f88bb52b16a93d\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..show-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_04e9f26add315296\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\SquareTile44x44.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_el-gr_00935be9c1a7b00f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe -
Modifies registry class 10 IoCs
Processes:
d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\ = "CRYPTED!" d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\DefaultIcon d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e2I44i200Tf2UUn.exe,0" d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\shell\open\command d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "DSRHMQACJKQPLWP" d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\shell d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\shell\open d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DSRHMQACJKQPLWP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e2I44i200Tf2UUn.exe" d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe"C:\Users\Admin\AppData\Local\Temp\d1caaaef83891f6d7b60a0acff4cea5fab6632942efef71dd8d53df07ec67211.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3564