Analysis
-
max time kernel
141s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 04:32
Behavioral task
behavioral1
Sample
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe
Resource
win10v2004-20220812-en
General
-
Target
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe
-
Size
7KB
-
MD5
0e2b1f1c0abb115f4514a05212a20233
-
SHA1
afe35725bb3e6dfaff5db8335d017ebafecb94f3
-
SHA256
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2
-
SHA512
3f840cb63c67cd1a14c2376438420e70531e85c26021b9315910c4f409a7ac8bafb7b54b36b2a6d9c63e8e1e65922637e3319cdddf2fd33209e4c644dafd1b0b
-
SSDEEP
192:zzdrr1FG1WDCgmjPZvoAYmpiE/5eb2MUA:zprr1gkDCgSlVXeiMB
Malware Config
Signatures
-
Detected Xorist Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1768-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1768-57-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.EnCiPhErEd 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Processes:
resource yara_rule behavioral1/memory/1768-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1768-56-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1768-57-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57wobqhZ98OrXG8.exe" 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Drops file in System32 directory 64 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_neutral_db76873d4261eb11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_FAQ.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_ISE.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_eventlogs.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\slmgr\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Switch.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Automatic_Variables.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\XPSViewer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\WCN\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WS-Management_Cmdlets.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_preference_variables.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Switch.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Common Files\System\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02073_.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\PREVIEW.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Windows Media Player\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_choosecolor.gif 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR1B.GIF 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Common Files\Microsoft Shared\VC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Drops file in Windows directory 64 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-cabinet_31bf3856ad364e35_6.1.7601.17514_none_9565568bf88b3e87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_ring_docked.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_prov_res_b03f5f7f11d50a3a_6.1.7600.16385_none_6eabfbd9c29ea607\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_acpipmi.inf_31bf3856ad364e35_6.1.7601.17514_none_05a4bc65d71b80df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..rdefaults.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3bea54d2325ca7c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_6.1.7600.16385_de-de_83e1d091bc0e4461\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_mmcss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09bf5a3650f45d86\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-base-mof.resources_31bf3856ad364e35_6.1.7600.16385_de-de_53ae4608ceb96739\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\DissolveNoise.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a08d02ec66c8423c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_en-us_204f30c8ec23dd29\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\wow64_microsoft-windows-m..icecommon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24b48d18a44edf57\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_en-us_15495050540f23f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..on-hkmsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3d196b6ed0053263\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\default.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-rascmdial.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5d99feca13c176bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_sl-si_3f6b10d89edede9d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.1.7601.17514_none_c8049b9e4ba7658c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..oundation.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d20ddd4c89472ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..iprovider.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1a5dc897f38ca68b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..rectinput.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ace620dc11abf22a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c5f1f7115d16e65d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a744af73725f4418\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-jobobject-provider_31bf3856ad364e35_6.1.7600.16385_none_c0e48a4441b3f2e7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\wow64_microsoft-windows-fdbth_31bf3856ad364e35_6.1.7600.16385_none_b99bc62e8222687e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-smss.resources_31bf3856ad364e35_6.1.7600.16385_it-it_70eb57b08ab37f83\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\default.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-raschap_31bf3856ad364e35_6.1.7601.17514_none_70e508748dec0127\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2618715ea4ed58f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29a18b107d8db6f9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5312ee2916e83600\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_elxstor.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5d8ec86a967ce700\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1b9ded448b012bcd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-regsvr32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17bd3d576da3e539\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_jobs.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Flyout_Thumbnail_Shadow.png 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_022879a9e697d06f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..mib-extension-agent_31bf3856ad364e35_6.1.7600.16385_none_7851d1737c2306e6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\000C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac2f25e3d4ed4318\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_d8a6fd49c39d02cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_wiabr008.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8d8a6726ddfe1771\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_server-help-chm.connmgr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2d0a8eccdd4b2925\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpps_31bf3856ad364e35_6.1.7601.17514_none_0cb05547529cd10e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f1efd0d699a29b7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_he-il_3dd459ed9f63fbca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_9cef76e6ecab612f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_354c8605d3d714f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\msil_system.workflow.activities.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7e08f097bb8a20e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\wow64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7600.16385_none_005dd77215ee863b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1ba5473c786c35fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..andprompt.resources_31bf3856ad364e35_6.1.7601.17514_es-es_dd73408ba8b0aef2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2941032d040d3e65\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_locations.help.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\x86_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_49645dc252e24b19\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_server-help-chm.reliab.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab619c2e72ba7e23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\wow64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_b9a4b88eb4255dbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2ba6bf6e9258afde91ab81fad2d37469\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_6.1.7600.16385_none_8945930a7d61b9f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7e0554d80f997b54\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..rofilerui.resources_31bf3856ad364e35_8.0.7600.16385_es-es_c0465df29516684d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe -
Modifies registry class 10 IoCs
Processes:
46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\ = "CRYPTED!" 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57wobqhZ98OrXG8.exe,0" 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\shell\open\command 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\shell 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\shell\open 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZCLMZNJFALTDUHQ" 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\DefaultIcon 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZCLMZNJFALTDUHQ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57wobqhZ98OrXG8.exe" 46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe"C:\Users\Admin\AppData\Local\Temp\46dd728e76fac2aa1abe753493026a5e2fcc4a9c879a33aab43d3c887649aac2.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1768