28486a0eb0a65e2c926a44dc8559ccd6deec153b784d91698382512c82cdb401

Analysis

max time kernel
126s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unhide.exe
Size

668KB
MD5

0c3717b91073d5e4a8097b69331646a5
SHA1

1c3e14bf1b3b20736ca84f4d3a000dd8cbb84a59
SHA256

28486a0eb0a65e2c926a44dc8559ccd6deec153b784d91698382512c82cdb401
SHA512

a52ee1760327063b5bba79d6da74788d1971dce1466e94e0c4bf2a4283dcf662314635099a4ff885e50683a9817022ef4aec2d8bda23dc132f4ac4773252e564
SSDEEP

12288:fxTCGTc6rYLF4s7E2vqsIG+OBxUkK3nn8eQ3Gj0Hy/23vc8/:pTlQ6rgPE2vagxdynMGjD/8vP

Score

8^/10

ransomware upx

Malware Config

Signatures

Drops file in Drivers directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\WaitRestore.tiff	attrib.exe
File opened for modification	C:\Users\Admin\Pictures\DismountUpdate.tiff	attrib.exe
File opened for modification	C:\Users\Admin\Pictures\RequestFind.tiff	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	setpath.exe
1628	sed.exe
1960	pev.exe

Loads dropped DLL 5 IoCs

pid	Process
540	cmd.exe
540	cmd.exe
540	cmd.exe
540	cmd.exe
1956	cmd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000139ea-76.dat	upx
behavioral1/files/0x00070000000139ea-77.dat	upx
behavioral1/files/0x00070000000139ea-78.dat	upx
behavioral1/files/0x00070000000139ea-79.dat	upx
behavioral1/memory/1712-80-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1636-129-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x00070000000139fa-138.dat	upx
behavioral1/memory/1636-158-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Drops desktop.ini file(s) 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	attrib.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\de-DE\iscsidsc.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnxx002.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\dot4prt.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR4000B.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netxex64.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\tandqic.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\12520437.cpx	attrib.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDCR.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dimsroam.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\PSEvents.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\loadperf.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\uxtheme.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Dism\es-ES\CompatProvider.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\KBDSMSFI.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\msscript.ocx	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\prnlx00w.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRCLRD06.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\LME321.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR1404E3.PPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV31N6.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ndishc.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WMVSENCD.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mtstocom.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\prnrc00b.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\uxlibres.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\ws3cap.inf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sendmail.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\dot3gpui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\th-TH\comctl32.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\comres.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR136N.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR9000.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\rdpendp.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\acppage.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\net8187se64.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AtBroker.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\comctl32.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_locations.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\regedit.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IFCP3036.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\sffdisk.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\hpoa1sd.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\miguiresource.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseN\license.rtf	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\nfs-servercore-repl.man	attrib.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0022.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wbem\RacWmiProv.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\w32topl.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.exp	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYW7QUR5.XML	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wiaky002.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Apphlpdm.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-DRM-DL\drmmgrtn.dll	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fontview.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\hpoa1sd.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\wiaca00a.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\CNC1730D.TBL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\TSWorkspace.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\diskraid.exe.mui	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02187_.GIF	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER.XLAM	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	attrib.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	attrib.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kiev	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.XML	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ar.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_en-us_bf29277a68e95bfc\msfeedsbs.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..rectinput.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0904bc5fca096360.manifest	attrib.exe
File opened for modification	C:\Windows\inf\prnsv002.inf	attrib.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-diskcopy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb3e4a6525c65107.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ae9bda912e7a71a5	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_af85e20316ac846e\RW430Ext.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_de-de_6b6ac41c3ef125b7\gsrvctr.ini	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ab09743d05aab36	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b7f67d67f2abb13e\CSRR.rs.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_25979c5397d8b23e.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_872159df1d68c354.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.0.0_it-it_deb5f036c2fcbba3.manifest	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00z.inf_31bf3856ad364e35_6.1.7600.16385_none_ea189c313845a10e\Amd64\CNBBLP41.GPD	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnky007.inf_31bf3856ad364e35_6.1.7600.16385_none_3f70c23251ba1833\Amd64\KYFS5020.GPD	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_megasas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c34b256c1ba31290\megasas2.inf_loc	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5bab695d0065bbd0\newdev.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_megasas2.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_8a7db96e2bc81a42.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..ponents-jetxbasepdx_31bf3856ad364e35_6.1.7600.16385_none_91e7a2968218eaf7\msxbde40.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.resx	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_534ca9d98862b106\els.dll.mui	attrib.exe
File opened for modification	C:\Windows\Installer\439a3.msi	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b6f780a94a52ace4\ole32.dll.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e3244e404aec918\taskschd.msc	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_940adae60f7352f1.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..c-journal.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e550daaaa4138d9c.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2df33a926479c43d.manifest	attrib.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\artcon6.h1s	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.context.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8d33546de1c5ef03\license.rtf	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..linetools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1ed810857d597659	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\GroupPolicy-Admin-Gpedit-Snapin-DL.man	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c70960f508ce7587\ntevt.mfl	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_19ec38460d920c99_mssign32.dll.mui_d663578f	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-dot3svc_31bf3856ad364e35_6.1.7601.17514_none_d3e6be89be849836\dot3msm.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_9fe23e2588fdee38\NlsLexicons004b.dll	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile26.bmp	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd4200t.exp	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_prnkm003.inf_31bf3856ad364e35_6.1.7600.16385_none_50766fcc42797a9b\Amd64\kop4650X.xml	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6211bdd913a2fd8.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..-wmpshell.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bcc723b763094aa3.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-u..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_203b5e1fb499032b.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d5f263ceaa730239	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..lorer-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d85fd62a5281d5c6\GameExplorer.adml	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wininit-mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c41d36de6cc0596b\wininit.mfl	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_en-us_0ea59346e6a9935b.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef74aaed83c3b512.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_963528f4b7e5d0fd\wordpad.exe	attrib.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-aerodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_4734ae48c8e465f5\AeroDiagnostic.xml	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_df23a1b9a7a8b3e3\logagent.exe.mui	attrib.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3ea6d01c34b5cc55.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_fundisc_31bf3856ad364e35_6.1.7600.16385_none_d7d9607f549396fc.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_8.0.7601.17514_de-de_46a6531c6d2d9db6.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-clr_mof_b03f5f7f11d50a3a_6.1.7601.17514_none_2247aad307749dd3\CLR.mof	attrib.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehglid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e0ba241a5773937f	attrib.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_gac_x86	attrib.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_sisraid4.inf_31bf3856ad364e35_6.1.7600.16385_none_84373bc2d1df49e7.manifest	attrib.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-r..ienttools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_01a8083d23661f34\rasdial.exe.mui	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\MSDT.admx	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 540	1636	Unhide.exe	27
PID 1636 wrote to memory of 540	1636	Unhide.exe	27
PID 1636 wrote to memory of 540	1636	Unhide.exe	27
PID 1636 wrote to memory of 540	1636	Unhide.exe	27
PID 540 wrote to memory of 1712	540	cmd.exe	29
PID 540 wrote to memory of 1712	540	cmd.exe	29
PID 540 wrote to memory of 1712	540	cmd.exe	29
PID 540 wrote to memory of 1712	540	cmd.exe	29
PID 540 wrote to memory of 1628	540	cmd.exe	30
PID 540 wrote to memory of 1628	540	cmd.exe	30
PID 540 wrote to memory of 1628	540	cmd.exe	30
PID 540 wrote to memory of 1628	540	cmd.exe	30
PID 540 wrote to memory of 1956	540	cmd.exe	31
PID 540 wrote to memory of 1956	540	cmd.exe	31
PID 540 wrote to memory of 1956	540	cmd.exe	31
PID 540 wrote to memory of 1956	540	cmd.exe	31
PID 1956 wrote to memory of 1960	1956	cmd.exe	32
PID 1956 wrote to memory of 1960	1956	cmd.exe	32
PID 1956 wrote to memory of 1960	1956	cmd.exe	32
PID 1956 wrote to memory of 1960	1956	cmd.exe	32
PID 540 wrote to memory of 1396	540	cmd.exe	33
PID 540 wrote to memory of 1396	540	cmd.exe	33
PID 540 wrote to memory of 1396	540	cmd.exe	33
PID 540 wrote to memory of 1396	540	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1396	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Unhide.exe
"C:\Users\Admin\AppData\Local\Temp\Unhide.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe
    SetPath
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe
    SED -r "s/ //g; s/\\\x22$/\x22/; s/^SET/@SET /I" SetPath00
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c PEV VOLUME
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe
      PEV VOLUME
      4⤵
      Executes dropped EXE
      PID:1960
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -H C:\* /S /D
    3⤵
    - Drops file in Drivers directory
    - Modifies extensions of user files
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe
    PEV RIMPORT unhide.reg
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Users\Admin\AppData\Local\Temp\info.vbs"
    3⤵
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetPath.bat

Filesize
1KB

MD5
fa9f579295573245c0dc3cdaaf60bf2b

SHA1
37591c11f1356666051871a2c8036d9a5a3ae4db

SHA256
bc09e3042c50b5026c81095e580f92a3038956c7b81ef17da21abe32adb2f5d9

SHA512
131387b8f6ac1c6016a6ae91a11bb410b6e2e4fbbd90c390061a3c87eadb6383887838b5366e09449eb6cbb5673ffb4e8148a3985ce8afd9883431e7d6a01fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SetPath00

Filesize
1KB

MD5
c1ceb071d0e649833148afd9c0cf9596

SHA1
ba75d10667038943831917a2026ba773e4f4a99b

SHA256
0e27e2865dbb2b7efd99c241c75a4eee199ee34b75f746da991bd9abce3302f7

SHA512
4eae4598850faabe498eaa9fb420eaecc9ad308688172821f35dabc3e203234cfe5a8443f37956d60c173e658618dea6fa25ba93af932dbba7b17a280ffe981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\grep.exe

Filesize
78KB

MD5
9e05a9c264c8a908a8e79450fcbff047

SHA1
363b2ee171de15aeea793bd7fdffd68d0feb8ba4

SHA256
c2ef6fc419630d566154f8372e94859df8141d02805bc7bce39c726a1ffef7c1

SHA512
712892e9b08a22b795f9627f6d13412cb2a4610404de33c6f83a37178b920e7bb9d3042c3a2191e49d661a34a05202e18224c67811d8b52fa0fc2c757ef0f6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swxcacls.exe

Filesize
80KB

MD5
9cef63fde7a3a91a747ceb26d00fced3

SHA1
e32f3be159e7ed8ff722d7914e9bd76411f66f56

SHA256
8ddb40f126b0bac6095db82bd45bbe9b5d70b0a1e8542a82ab1df8031d776c9b

SHA512
5f1e0fd8a4f9131104f8cb58c91267026e126a4e832aee4e77ed2d4d8866e9b25406f02f17785c550661a58f9e11dbdd63ab784e9374d5cf7a42c5c7370763b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.bat

Filesize
2KB

MD5
4427ca90cac3e5b4aff5e173ad2dd4f1

SHA1
9a33cc2a79676fb5f081cca6264aa4ad061058ea

SHA256
46efd6ebae7cbbb36b15b54cf409013172bf0fab6df92daefd9ea793d1fd30b2

SHA512
59bcc51f3a4d7826d1facf27ffa6207ede7bfae2a8a318514022af5bfd9f7063cfd730dec3bb0fe21dc67c6ab669b40afb42118ea4c9986b7e2534d7e0c4726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.bat

Filesize
2KB

MD5
4427ca90cac3e5b4aff5e173ad2dd4f1

SHA1
9a33cc2a79676fb5f081cca6264aa4ad061058ea

SHA256
46efd6ebae7cbbb36b15b54cf409013172bf0fab6df92daefd9ea793d1fd30b2

SHA512
59bcc51f3a4d7826d1facf27ffa6207ede7bfae2a8a318514022af5bfd9f7063cfd730dec3bb0fe21dc67c6ab669b40afb42118ea4c9986b7e2534d7e0c4726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\unhide.reg

Filesize
543B

MD5
fca6a5b2508b49f3363404a8e47d552a

SHA1
3ecd0d771baa100f4e1afa810bb3b1a27cd53aad

SHA256
609db8564ed67f25fb27d844c7ef2dfbc6bac0cf30eee127e2625e7583069804

SHA512
640571c86db7ef728bea66073ba35fe017d55edff124fe03deee41b1ff6e9f65bf4cad0fc465557e8ec0031e5eb4b414b8ebd1e3a1750622eadd841aefa1f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.vbs

Filesize
241B

MD5
fe5a00818eb15bc45e3c362fcc68d787

SHA1
23681ebfa9c200e4567dd9b3a2440408f5cdc870

SHA256
cc53502ef14619713c13ce195e8a74e3651504e9ff3335f18f4b29909c6cd4d4

SHA512
7fb517cf41257dc5c014547aa63c25995d96bc64afc3938f23922e7b22c6e95a6a669253ed927a81541a25b72d6bed27eaf0c967c7fde058739073231cfabef2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pev.exe

Filesize
249KB

MD5
3c33b26f2f7fa61d882515f2d6078691

SHA1
6a4327de077ea3126fc70c7031ca901383734562

SHA256
908fdb876715f0a77014a37396d9e964fa6359d98099929bab4086e66d72bb9f

SHA512
6682e012e0cf8a3a40873b15eee14dea5cc95e86b181632a5a2dff3498e1d8d6d01ced76efd08089d7e9d5c43ba64143639c0e5414143762a232e6dd964804d2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sed.exe

Filesize
96KB

MD5
2b657a67aebb84aea5632c53e61e23bf

SHA1
7d723cf82658da76bda85ae00bf20cb01b43edc8

SHA256
95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73

SHA512
16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setpath.exe

Filesize
26KB

MD5
4f5f4878c3931a5906392b6124ae0fcb

SHA1
5119a8d63258583365e7c6e082ccb8879901fd32

SHA256
399ce9f214fd0af7a0ff40e4c28d979642396f602845f7c6d8cb3020aa9f791e

SHA512
ce7d7768f5a35c907af7de745b83f27dba0173f4f107e4c2823a6f1bbf304079fe73f39b8b5807dd421c61a6cabe26272c671e7a940f68752ebfd71638b79299

Download Submit
memory/540-130-0x0000000000170000-0x0000000000185000-memory.dmp

Filesize
84KB

Download
memory/1628-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1636-129-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1636-158-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1712-80-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1760-153-0x00000000010D0000-0x00000000011A0000-memory.dmp

Filesize
832KB

Download
memory/1760-154-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1960-135-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1960-134-0x00000000002B0000-0x0000000000380000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads