1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690

Resubmissions

02-02-2023 15:10

230202-skgffsad87 10

30-01-2023 21:04

30-01-2023 19:19

30-01-2023 19:18

30-01-2023 19:16

30-01-2023 16:57

Analysis

max time kernel
139s
max time network
36s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Size

1.5MB
MD5

fee7c379f3a555c5c821e872ec384a91
SHA1

7346e2e29faddd63ae5c610c07acab46b2b1b176
SHA256

1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690
SHA512

5daecbea4102f9b6c431afa1d6d5bb196594e7c9640d7a8b388669268d737d6e4277797504a86169b410ccf3cd6e92e0c55065d15a495a398bc27607567d1497
SSDEEP

24576:uSR66R9LwWCc9FFZUZVClJYkLbdf/nixuiO4DGDGW3628rKR1q+ClmJcpd++GMzr:uQvL9SWTVilyfMFo8D1b

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CloseEnter.tiff	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Pictures\FormatStop.tiff	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VYXNV57O\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C01KGG1N\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CYEXZCX2\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5P6A77JB\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQOSCM62\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre7\bin\wsdetect.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282126.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jaas_nt.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Noronha	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02313_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXC	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxerror.ico	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\85s1255.fon	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.es.resx	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Fonts\vgaf1255.fon	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Messaging.Resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\es-ES\PresentationHostDLL.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\hu-HU_BitLockerToGo.exe.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\recycle.wav	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\es\MSBuild.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Boot\EFI\hu-HU\bootmgfw.efi.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\fstexp.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Garden\Windows Logon Sound.wav	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es\infocard.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Fonts\kokila.ttf	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\hhomeue.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\netproj.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\0411\taskscheduler.CHM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\AppCompat\Programs\RecentFileCache.bcf	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\secpriv.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\medctr.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\0409\wmicontrol.CHM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\040C\msorcl32.chm	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Web.Resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1040\vbc7ui.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderSchema.sql	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\artcon5.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Navigation Start.wav	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\de\Microsoft.VisualBasic.Compatibility.Data.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SbsNclPerf.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\diskcln.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Pop-up Blocked.wav	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\AcRes.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Fonts\85f1256.fon	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\en-US\offline.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\browser.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\deskpr.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_lowtrust.config.default	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Cursors\size2_il.cur	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\0410\comexp.CHM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\System.Transactions.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\Microsoft.Build.Engine.resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\helpplc.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\appwin.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\0410\perfmon.CHM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Installer\31a4.msi	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\fr-FR_BitLockerToGo.exe.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Boot\EFI\it-IT\bootmgfw.efi.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\en-US\wasw.h1s	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\playing.H1S	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Help\mui\0411\inetsrvmmc.CHM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\IME\IMETC10\DICTS\IMTCLS.IMD	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Installer\7d62.msi	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\System.EnterpriseServices.Resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Web.Services.Resources.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Cursors\cross_im.cur	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\Media\ir_begin.wav	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	1236	WerFault.exe	17

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeSecurityPrivilege	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeRestorePrivilege	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeBackupPrivilege	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeShutdownPrivilege	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeIncreaseQuotaPrivilege	1156	wmic.exe
Token: SeSecurityPrivilege	1156	wmic.exe
Token: SeTakeOwnershipPrivilege	1156	wmic.exe
Token: SeLoadDriverPrivilege	1156	wmic.exe
Token: SeSystemProfilePrivilege	1156	wmic.exe
Token: SeSystemtimePrivilege	1156	wmic.exe
Token: SeProfSingleProcessPrivilege	1156	wmic.exe
Token: SeIncBasePriorityPrivilege	1156	wmic.exe
Token: SeCreatePagefilePrivilege	1156	wmic.exe
Token: SeBackupPrivilege	1156	wmic.exe
Token: SeRestorePrivilege	1156	wmic.exe
Token: SeShutdownPrivilege	1156	wmic.exe
Token: SeDebugPrivilege	1156	wmic.exe
Token: SeSystemEnvironmentPrivilege	1156	wmic.exe
Token: SeRemoteShutdownPrivilege	1156	wmic.exe
Token: SeUndockPrivilege	1156	wmic.exe
Token: SeManageVolumePrivilege	1156	wmic.exe
Token: 33	1156	wmic.exe
Token: 34	1156	wmic.exe
Token: 35	1156	wmic.exe
Token: SeIncreaseQuotaPrivilege	1156	wmic.exe
Token: SeSecurityPrivilege	1156	wmic.exe
Token: SeTakeOwnershipPrivilege	1156	wmic.exe
Token: SeLoadDriverPrivilege	1156	wmic.exe
Token: SeSystemProfilePrivilege	1156	wmic.exe
Token: SeSystemtimePrivilege	1156	wmic.exe
Token: SeProfSingleProcessPrivilege	1156	wmic.exe
Token: SeIncBasePriorityPrivilege	1156	wmic.exe
Token: SeCreatePagefilePrivilege	1156	wmic.exe
Token: SeBackupPrivilege	1156	wmic.exe
Token: SeRestorePrivilege	1156	wmic.exe
Token: SeShutdownPrivilege	1156	wmic.exe
Token: SeDebugPrivilege	1156	wmic.exe
Token: SeSystemEnvironmentPrivilege	1156	wmic.exe
Token: SeRemoteShutdownPrivilege	1156	wmic.exe
Token: SeUndockPrivilege	1156	wmic.exe
Token: SeManageVolumePrivilege	1156	wmic.exe
Token: 33	1156	wmic.exe
Token: 34	1156	wmic.exe
Token: 35	1156	wmic.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1156	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	28
PID 832 wrote to memory of 1156	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	28
PID 832 wrote to memory of 1156	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	28
PID 832 wrote to memory of 1156	832	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	28

C:\Users\Admin\AppData\Local\Temp\1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
"C:\Users\Admin\AppData\Local\Temp\1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1236 -s 988
1⤵
- Program crash
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-54-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads