Analysis
-
max time kernel
145s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 16:17
Behavioral task
behavioral1
Sample
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe
Resource
win10v2004-20220812-en
General
-
Target
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe
-
Size
7KB
-
MD5
0fbf8c91afd09939c5ad7edc5ebb3c62
-
SHA1
a13a0edaf4b9619d594ea661f210d398bb48ff9e
-
SHA256
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c
-
SHA512
8fb679351d55c7af5a592f5532d004a827d04ae14c42b25726402876428ff50a679656ed845a8b8d661952af9ad1da76497598a7bfc58e02dd769907c50cff40
-
SSDEEP
192:Cxzdrr1FG1WDCgmjPZUCFiwmNVlxGMUA:sprr1gkDCgS9FiwcAMB
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1112-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Processes:
resource yara_rule behavioral1/memory/1112-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1112-56-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t5Igu5hV8iEnx0k.exe" a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Drops file in System32 directory 64 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process File created C:\Windows\SysWOW64\com\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_neutral_26a79521b746fc31\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc10.inf_amd64_neutral_2c5d0c618dbfaf2a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00g.inf_amd64_neutral_2926840e245f88f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_neutral_1c5bc8e71eb90127\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\LogFiles\AIT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\image.inf_amd64_neutral_4a983035eaabe2f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\xnacc.inf_amd64_neutral_13c4e272a96185a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\001e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmvdot.inf_amd64_neutral_714bc6a3a28b9f0f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_neutral_e853cea0022c059a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0006\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\com\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_neutral_735aa3b5ee832f62\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmosi.inf_amd64_neutral_932d048a735b47c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\ql2300.inf_amd64_neutral_ca8487daf77ff7cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Drops file in Windows directory 64 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process File created C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\Media\Savanna\Windows Hardware Fail.wav a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework64\1031\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\e7904d77bcee77868d534546ed2a61b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\ehome\de-DE\playReady_eula_oem.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe\3.5.1.0__89845dcd8080cc91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\c73da2d72e0bbeaf6538615dba2d7143\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\SMSvcHost 4.0.0.0\0804\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Boot\PCAT\pt-BR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\1031\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\BITS\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1031\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\Media\Savanna\Windows Logon Sound.wav a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.NetTcp\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\8.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\rdyboost\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\45d49301a9e8ff19669155b1ec5c45ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\ce17670e5d6d33a85e64766e340a2176\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.WebRequest\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\MSDTC Bridge 4.0.0.0\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\PERFLIB\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\system.workflow.componentmodel.resources\3.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\ehome\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\ASP.NET_4.0.30319\0010\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\MSDTC Bridge 3.0.0.0\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.Watcher\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.resources\2.0.0.0_ja_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp4.jpg a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Boot\EFI\nb-NO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\diagnostics\system\WindowsUpdate\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\diagnostics\system\Networking\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\70aac9dff3bdde548962557151c1ff49\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\b90f40ba78ef47ed0a9a563e242f6322\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.resources\3.5.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\EventViewer\21464de9aa1dce17c1f42044129a986e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\bf808b9c0c44745fc6bf261c44003c7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\SMSvcHost 3.0.0.0\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File opened for modification C:\Windows\Media\Characters\Windows Logoff Sound.wav a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\system.identitymodel.selectors.resources\3.0.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\00232ece6fbf0584e184386c7ac94b51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe File created C:\Windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe -
Modifies registry class 10 IoCs
Processes:
a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KDURWVJJQCGUFCX" a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\ = "CRYPTED!" a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\shell\open\command a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\shell a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\shell\open a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t5Igu5hV8iEnx0k.exe" a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\DefaultIcon a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KDURWVJJQCGUFCX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t5Igu5hV8iEnx0k.exe,0" a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe"C:\Users\Admin\AppData\Local\Temp\a3ab525165a12084496992acc2e98b6acab1d89ec60f40faac5103090b0c9d6c.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1112