Analysis
-
max time kernel
99s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 17:22
Behavioral task
behavioral1
Sample
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe
Resource
win10v2004-20221111-en
General
-
Target
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe
-
Size
39KB
-
MD5
1222ed64e9e26f248791d66485906363
-
SHA1
c65e557698063038ede9ac2c20fa08deb5a86fa3
-
SHA256
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c
-
SHA512
8a29c1bd848414c84b882c899c81fab6d4e02f36f7a3c17d5c5c189a1d1fa8187fd4a6751584af85ad04c7c7fe161b7aac4b1527c7248cfbb7b0066d8155724d
-
SSDEEP
384:1ebFNw4Pk1itKkpAjjalrhVl8MqYvjSo1OkDCgSrN1w+MB:10FmBkpKjWQPY7fDCbNin
Malware Config
Signatures
-
Detected Xorist Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1268-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1268-56-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral1/memory/1268-57-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Processes:
resource yara_rule behavioral1/memory/1268-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1268-56-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/1268-57-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EyB1f6FNc13b72W.exe" 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Drops file in System32 directory 64 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\winrm\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0024\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_neutral_83cc415156be45c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\migwiz\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc664.inf_amd64_neutral_673d3dfb961e9b17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_For.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\Dism\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_neutral_aed2e7a487803437\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmomrn3.inf_amd64_neutral_a87289088ec2cdf1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\MUI\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WMI_Cmdlets.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00d.inf_amd64_neutral_2c3623fa97b0c28e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\Recovery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\battery.inf_amd64_neutral_cb8fa151a7b7cb80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-ADFS-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_neutral_1678e66e0cbb04b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\zh-CN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_locations.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Java\jre7\lib\deploy\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Internet Explorer\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_italic.gif 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Drops file in Windows directory 64 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process File created C:\Windows\winsxs\amd64_server-help-h1s.mis..reference.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eee0f69bb1ec672d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\Tulip.jpg 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_brmfcwia.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5de45f4c759b835e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nddeapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_919845c1c14878bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..tance-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_746522be1c67cb81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8e19e3185626bf79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_ar-sa_6d63d528d41932e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_netfx35linq-arrowheadsubsetlist_v35_31bf3856ad364e35_6.1.7600.16385_none_cbd3471197c6c60c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5aae28245a7a6d34\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..rkprofile.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_abbdc78467742108\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7601.17514_none_5d778f71b9f4fd55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_prnep003.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fe20734f79178af1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\Media\Heritage\Windows Feed Discovered.wav 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..trics-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3d71f9488f5fa1a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4938a1c004236d17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ator-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_96845312c96b95ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b18013afd5eb4684\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d1f50b5521de9c71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a33e988d033651ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..lications.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9f1f03b152ffeacf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7776eb9a9675ceba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-jvs_31bf3856ad364e35_6.1.7600.16385_none_618fce9aa33b1d9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5073632e4ef0764d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_mdmdyna.inf_31bf3856ad364e35_6.1.7600.16385_none_3fc3cdc566be92b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Logoff Sound.wav 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..s-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_09e4da644f01eb3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a0b8c165215332b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\inf\RemoteAccess\0000\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a54f10073de99f17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.1.7601.17514_none_9535600a76efe991\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..in-gpedit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_33d51b0128f1afeb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ceede0acc5a8b4c4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8923c10d73f1d51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_89a46599641db54a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_try_catch_finally.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..helibrary.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ffc0c8c9571eadf3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_lt-lt_88d73275f8f7eebc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-basics2.resources_31bf3856ad364e35_6.1.7600.16385_en-us_37152aaa2b7342a3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-xwizards.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3d1d2e1d94b0f8c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Arithmetic_Operators.help.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..maker-mof.resources_31bf3856ad364e35_6.1.7600.16385_de-de_53342206814a494e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Pop-up Blocked.wav 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_prnca00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bc7f0d25ccf91a58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_15e4306ea29e7ff3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_netbc664.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3504beafa788c5aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\rssBackBlue_Undocked.png 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45991053c01b5b96\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-r..izard-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bd1c3e09bfbd3cc6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..pulations.resources_31bf3856ad364e35_6.1.7600.16385_en-us_864a84afd1bdd008\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\msil_system.web.entity.design.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_9b4ae10f336d41f2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bfa0b1bb9becac9f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..tings-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c2860b4bd838590\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8c6df2cd7182bac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12f2096cfbd83f09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1015dbc6af5f9e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-cbva.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c55f12c8c3b85489\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2204231a1958833a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe -
Modifies registry class 10 IoCs
Processes:
52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\ = "CRYPTED!" 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EyB1f6FNc13b72W.exe,0" 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\shell\open\command 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Binwu 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Binwu\ = "GNWKXAYEWMCZSYC" 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\DefaultIcon 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\shell 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\shell\open 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GNWKXAYEWMCZSYC\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EyB1f6FNc13b72W.exe" 52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe"C:\Users\Admin\AppData\Local\Temp\52770470fe58b193e9a25248cb257e4ffb898ebc281e1b34efdc42fbc0352d1c.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1268