Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2023 21:01
Behavioral task
behavioral1
Sample
841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe
-
Size
7KB
-
MD5
a29fc50d11f97997ce0c38ecd238355e
-
SHA1
52e21efa1477c1bd269eddd91ae0a13d3e47e835
-
SHA256
841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83
-
SHA512
a10afe7db8b8773f3fb8d728abb0b748a6dd6b41ef045f66eda00eaf09ea9603147c5477c3a56bf65add3716001a493880db50e93522d305e61db198284fde55
-
SSDEEP
192:nzdrr1FG1WDCgmjPZEysGsXpFHL99oMUA:nprr1gkDCgS+dGWpFHL9KMB
Score
10/10
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
resource yara_rule behavioral2/memory/5048-132-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral2/memory/5048-133-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertFromFind.png => C:\Users\Admin\Pictures\ConvertFromFind.png.tg 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
resource yara_rule behavioral2/memory/5048-132-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/5048-133-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5vPl3Y4523Ek90l.exe" 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\InstallShield\setupdir\0011\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\acpipagr.inf_amd64_a3248d35e6aba0f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_0f7f041f33bd01cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\Dism\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_processor.inf_amd64_4431cc603de6e020\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_466615aad3be8e26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_usbdevice.inf_amd64_815550fc328ea85b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_edc94fc65bef3d27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_firmware.inf_amd64_36e4e17f210128ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_holographic.inf_amd64_6ab9629b23deb837\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_wceusbs.inf_amd64_1ba398d9da634d3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fssecurityenhancer.inf_amd64_e84a289dd0df20ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\F12\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\Dism\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_de71647ec29a6bc2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\nulhprs8.inf_amd64_e65ae5a38cb839e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_bf051ca3546a5bf3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\c_usbfn.inf_amd64_64da5751ebd2f2f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_3d2bbc45931b8232\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\oobe\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_289e18fb610dd883\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_416a5877e9180787\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_789f35bee584a939\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-300.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Eye.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-lightunplated.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16_altform-unplated_contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentDialogDesktop_456x100.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-150.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-100.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-fullcolor.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-150.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-125.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-200.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_netfx4-installcommon_sql_b03f5f7f11d50a3a_4.0.15805.0_none_f00e3a500469c158\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-cdp-api_31bf3856ad364e35_10.0.19041.1151_none_5b3ce5505da4ae2f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_68c3600d7a763b59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-onecoreua..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_4d9a0d444d564dbc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_2e6218b3a30df2a5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-usbceip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f45adf21acac4ccc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_system.xml.linq.resources_b77a5c561934e089_4.0.15805.0_fr-fr_a32f4da10caa213b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-150.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00020426_31bf3856ad364e35_10.0.19041.1_none_e5a73036e74ac45c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.1266_none_70772af2e7de61d2\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\htmlfileicon.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mixedreality-broker_31bf3856ad364e35_10.0.19041.264_none_3b3536c093f7bdd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ocsetupapi_31bf3856ad364e35_10.0.19041.1151_none_26974a5b185d5881\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..-localspl.resources_31bf3856ad364e35_10.0.19041.1023_en-us_dc5f3b474f648394\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\diagnostics\system\Networking\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\INF\LSM\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-proxy_31bf3856ad364e35_10.0.19041.844_none_d1135ab4e51bb45a\n\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..o-mmecore-wdm-audio_31bf3856ad364e35_10.0.19041.1_none_003f59aa850fa682\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_netrasa.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_370e3e2c58fc3e71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..service-dmrcdecoder_31bf3856ad364e35_10.0.19041.1202_none_384845f3ef937951\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_11.0.19041.1_it-it_bf074021ac98aeaf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.19041.1_de-de_73d3395d404dbf81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-oleprn_31bf3856ad364e35_10.0.19041.746_none_59202726be11e42b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-speech-shell_31bf3856ad364e35_10.0.19041.264_none_ffe9a2827f7e0375\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-96_altform-unplated_contrast-white.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_dual_mdmtdkj6.inf_31bf3856ad364e35_10.0.19041.1_none_4b1928627fcca94c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.1_none_e9372a65640b0bcf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..eyboard-korean_101b_31bf3856ad364e35_10.0.19041.1_none_3bb792d7b9fb00bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lservices-workspace_31bf3856ad364e35_10.0.19041.746_none_aee84b36b8ee0f17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..rvice-mof.resources_31bf3856ad364e35_10.0.19041.1_es-es_aad5e63dabaefe98\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_wpdcomp.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_29283f65bda288c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-activationclient_31bf3856ad364e35_10.0.19041.746_none_d8afe614e9b5f989\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_10.0.19041.264_none_4082885e41be161c\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..roxy-main.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f22bf74c689e149\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_dc08fa18555f7cbb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-holosi-desktop_31bf3856ad364e35_10.0.19041.1081_none_6a124ae31ae9d36b\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare71x71.scale-150_contrast-black.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_en-us_858e75016ce6ee41\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_es-es_55a09501fcb42814\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tetheringmgr.resources_31bf3856ad364e35_10.0.19041.1_es-es_f026b9b3930cda53\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\about_TestDrive.help.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-alljoyn-runtime_31bf3856ad364e35_10.0.19041.746_none_db2225b0ab459776\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_dual_c_system.inf_31bf3856ad364e35_10.0.19041.1_none_0277ff5b13913c7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-3daudio-hrtfapo_31bf3856ad364e35_10.0.19041.1266_none_01934add04c2464d\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.173_none_38fc88f8cb913df1\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..alogblockingservice_31bf3856ad364e35_10.0.19041.844_none_149d771f4f2fd225\n\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-authorizationmanagerui_31bf3856ad364e35_10.0.19041.746_none_0a27ebbb92d57ff6\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mfmp4srcsnk.resources_31bf3856ad364e35_10.0.19041.1_en-us_d172f6c303253ee4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_10.0.19041.1202_none_ea83dd03a3fb7134\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_msgpiowin32.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4cecc64bd72abfc8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_pnpxassoc_31bf3856ad364e35_10.0.19041.746_none_107d2effce447b6f\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..stant-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_157dc97a19e2df84\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..xdiagndll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_853eb0c2728d541a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_e54f19f3443cdd48\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\msil_microsoft.windows.s...commands.resources_31bf3856ad364e35_10.0.19041.1_de-de_db7ee98be4032274\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_es-es_f5275ef67022cea8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_networking-mpssvc-powershell-core_31bf3856ad364e35_10.0.19041.964_none_891cdb0d77da2ff3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File created C:\Windows\WinSxS\amd64_system.servicemodel.discovery.resources_31bf3856ad364e35_4.0.15805.0_es-es_1c06b9f3ffaef9e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile44x44.scale-400.png 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\shell 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tg\ = "MNTKGDXODBUCVOD" 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\ = "CRYPTED!" 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\shell\open\command 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\shell\open 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5vPl3Y4523Ek90l.exe" 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tg 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\DefaultIcon 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MNTKGDXODBUCVOD\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5vPl3Y4523Ek90l.exe,0" 841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe"C:\Users\Admin\AppData\Local\Temp\841f52f43cebec8602fee5688e076a6a24128fcd35969e85f9d921d467634d83.bin.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5048