Analysis
-
max time kernel
148s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 17:22
Behavioral task
behavioral1
Sample
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe
Resource
win10v2004-20221111-en
General
-
Target
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe
-
Size
7KB
-
MD5
040d31fee8dc69b4c0585494696d4a50
-
SHA1
9434a9b4f3e17a66de0ca3f7c1fd4d5e88ddc188
-
SHA256
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3
-
SHA512
ee18c862771ce6ca126bf33e701fac2a2281e17fe550f31f8352ac20137a9744ee9e96007007d8a5f1dccb034e61b17b83a015752c2da0a16635f24f974125ca
-
SSDEEP
96:FpLZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihEx1TaCy4oTQeINBXlqfi:zzdrr1FG1WDCgmjPZ1kANVl05MUA
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1720-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Processes:
resource yara_rule behavioral1/memory/1720-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1720-56-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe" dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Drops file in System32 directory 64 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process File opened for modification C:\Windows\SysWOW64\de-DE\erofflps.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_regular_expressions.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_PSSnapins.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_prompts.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\iirsp.inf_amd64_neutral_25c14d33af7f54f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_arrays.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_modules.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_cmdletbindingattribute.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\wbem\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_preference_variables.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\WCN\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_wildcards.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\SysWOW64\ras\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR42F.GIF dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Windows Mail\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\HEADER.GIF dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Drops file in Windows directory 64 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2668fa91e847ecd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_mdmmoto1.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c4dec4cce2efc8ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ncrypt-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b3ed24e8d05a05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.7600.16385_none_7d25450501edb94f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote_jobs.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0e8f5c6d257ed0ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_nete1e3e.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c3abf0ccca994d2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_scrawpdo.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1b1933bc3ec5fa0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_42944333cf641a7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-dock.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_6.1.7601.17514_none_e501f8e06b32b48f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_wildcards.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1e51e097f681b2ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tapi3_31bf3856ad364e35_6.1.7601.17514_none_bf6eb739a62ff7fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_prnbr007.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_da33b19637d1b2a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)alertIcon.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-live-services_31bf3856ad364e35_6.1.7600.16385_none_31a075c6a5802364\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_mdmbr008.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8ce2302ca312fcf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\16_9-frame-background.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Automatic_Variables.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Information Bar.wav dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..ifffilter-licensing_31bf3856ad364e35_6.1.7600.16385_none_7c918ba35c1353e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_prnca003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e02d45d5c13a66cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\45.png dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-core-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e0184e3b8b1d379f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_netfx-sys_windows_forms_tlb_b03f5f7f11d50a3a_6.1.7600.16385_none_24b8f009e5bf3817\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rssLogo.gif dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Scenes_INTRO_BG.wmv dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-8.htm dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-basics.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f60bc67973c6a0ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-inkwatson-adm_31bf3856ad364e35_6.1.7600.16385_none_cb492fa0b0955062\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile42.bmp dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-video-for-windows_31bf3856ad364e35_6.1.7601.17514_none_f057f61a9f619e2a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_51f071732af187ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-ripbsyn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3eae274bc8057a96\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\AU-wp3.jpg dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4571a856a1431931\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w32time-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0999fa49c6d6121b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_server-help-chm.sua_lh.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ae8c923b696f7c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_79ce973ec0c7f046\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\inf\aspnet_state\0006\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c22dd0d9610ae7f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-console.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31259e1e6d22b96a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7600.16385_none_c4d1464ab88fbcb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Automatic_Variables.help.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rpc-ns_31bf3856ad364e35_6.1.7600.16385_none_6e373d76ecf0acac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_6.1.7600.16385_en-us_50c0df8c012149f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.OracleC#\89eae0aa2c0c6d4678ccffdc84fcc410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_iastorv.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_44b449fe9bd5c013\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File opened for modification C:\Windows\Media\Garden\Windows Feed Discovered.wav dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_hiddigi.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92ad03dcf04ab8c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_596a506707842d2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_28cec6630be7b1d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_e5307039bcff94de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_vhdmp.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_752dbd108feaf8dd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\IME\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\Media\Festival\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_76c538b8c1054321\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe -
Modifies registry class 10 IoCs
Processes:
dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Zalk\ = "QJMEELMBVJVHQYV" dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\ = "CRYPTED!" dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\DefaultIcon dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open\command dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Zalk dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe,0" dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe" dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe"C:\Users\Admin\AppData\Local\Temp\dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1720