Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
05-07-2023 14:20
Behavioral task
behavioral1
Sample
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Resource
win7-20230703-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
-
Size
1.7MB
-
MD5
a72345f5a627a2c8222f71347a44b013
-
SHA1
595bf5761ec6eee55fb291cb465736bbbb4bfcf8
-
SHA256
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
-
SHA512
5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482
-
SSDEEP
24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg
Score
10/10
Malware Config
Extracted
Family
agenda
Attributes
-
company_id
feGDg5BHWw
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:
rsa_privkey.plain
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Drops file in Drivers directory 39 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Drops startup file 1 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\43WLYJX9\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1305762978-1813183296-1799492538-1000\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YEFGVE3C\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KS2R1QX6\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Documents\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQQ2N3BG\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Drops file in System32 directory 64 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OK9300U5.PPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-iis-rm\iismig.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJ2760.TBL 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR131NL.GPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\prnhp002.inf_loc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wcnwiz.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\de-DE\systeminfo.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OK540NU5.PPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\netl260a.inf_loc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\prnca00d.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpbsbasi.gpd 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\prnge001.inf_loc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\es-ES\sberes.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\de-DE\lusrmgr.msc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ag.bcm 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NGPAA.GPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SA381103.PPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\en-US\sc.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\IpsmSnap.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NOJ8H.DXT 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\es-ES\LocationNotifications.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\fr-FR\finger.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\adtschema.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\VaultSysUi.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\msexcl40.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\pshed.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\de-DE\taskmgr.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\de-DE\timedate.cpl.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ7200.CFG 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf563.gpd 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\es-ES\vfwwdm32.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\es-ES\DDACLSys.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\fr-FR\perfhost.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\fr-FR\takeown.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\de-DE\colorcpl.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfLpt.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\wiaca00f.PNF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\dsauth.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\fr-FR\accessibilitycpl.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\tsmxu003.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\en-US\mmres.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wmidx.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bits-Client-DL.man 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\Mcx2.inf_loc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnle003.inf_loc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9\adpahci.PNF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7TMAA.ICM 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\driverquery.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1341E3.PPD 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660.ppd 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\it-IT\WinSyncProviders.rll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\DisplaySwitch.exe 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJOP84.DLL 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\en-US\olecli32.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\fr-FR\DeviceUxRes.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\printmanagement.msc 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\ja-JP\pcwum.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\PortableDeviceSyncProvider.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\en-US\RmClient.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\SysWOW64\es-ES\samsrv.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msjro.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psuser.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Sydney 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WHOOSH.WAV 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Chita 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Christmas 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Drops file in Windows directory 64 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\618ab8996b43e841efdcfb273393fc02\Microsoft.MediaCenter.UI.ni.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.ja.resx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Entity.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\PolicyDefinitions\TerminalServer.admx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SystemRestore-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\17e443d6c643b83137beb310adee3c48\System.Management.Instrumentation.ni.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Help\Windows\en-US\sync.h1s 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\mdmpn1.PNF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.it.resx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PhotoPremiumPackage~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\diagnostics\system\Networking\de-DE\DiagPackage.dll.mui 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\mscorlib.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\PolicyDefinitions\it-IT\QOS.adml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\963e23452dd4b751573f32fac3a29c02\System.Transactions.ni.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\3082\dv_aspnetmmc.chm 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Build.Utilities.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Fonts\LTYPE.TTF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Help\Windows\it-IT\games.h1s 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\ks.PNF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\Microsoft.Build.Tasks.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.mum 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\pca.adml 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\mdmetech.inf 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\prnxx002.PNF 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.mum 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\2d79de2180c7f59325a5e7105e6b690c\PresentationFramework.AeroLite.ni.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.fr.resx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Networking-MPSSVC-Rules-UltimateEdition-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.h 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\ehome\BDATunePIA.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Help\mui\0409\scanmanagement.CHM 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Help\Windows\en-US\medexp2.h1s 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\e251e07a65ea3f2a157796a054971e60\CustomMarshalers.ni.dll.aux 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\diagnostics\system\Device\TS_DriverNeedUpdated.ps1 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\it\DropSqlPersistenceProviderLogic.sql 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\MSDTC\0407\msdtcprf.ini 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Speech\Engines\SR\fr-FR\c1036dsk.fe 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\vbc.rsp 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.ja.resx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\Regasm.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Management.Instrumentation\3.5.0.0__b77a5c561934e089\System.Management.Instrumentation.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\diagnostics\system\WindowsUpdate\de-DE\CL_LocalizationData.psd1 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it\ComSvcConfig.resources.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\PolicyDefinitions\TaskScheduler.admx 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Media\Festival\Windows Hardware Fail.wav 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\1f517ecba89b0f399021bdbc8fb3db82\Microsoft.MediaCenter.Shell.ni.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\inf\mdm5674a.inf 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClient.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe File opened for modification C:\Windows\Help\mui\0410\saferconcepts.CHM 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exepid process 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exedescription pid process Token: SeShutdownPrivilege 1184 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184