agenda | efb2e91cc711557415c3c4650a314c01e46d0ddc62808032edc9fe4961ad06fa

General

Target

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Size

1.7MB
MD5

a72345f5a627a2c8222f71347a44b013
SHA1

595bf5761ec6eee55fb291cb465736bbbb4bfcf8
SHA256

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
SHA512

5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482
SSDEEP

24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg

Score

10^/10

agenda ransomware spyware stealer

Malware Config

Extracted

Family

agenda

Attributes

company_id
feGDg5BHWw
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:

rsa_privkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Drops file in Drivers directory 39 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UndoLimit.tiff	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops startup file 1 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9HQG8YBY\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LOYER6OW\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQBZZKRI\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C3RIERPZ\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3891603265-141683679-4067940827-1000\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0U4L7UHT\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\O900K7WT\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8N3FTPS8\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in System32 directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\pcmcia.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\eudcedit.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\clb.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dhcpsapi.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msrle32.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\FXSRESM.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mssvp.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\secedit.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wldap32.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\msoert2.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBDR4_5.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR4181E3.PPD	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wzcdlg.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\iscsicpl.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ncpa.cpl.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ncpa.cpl.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\license.rtf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\DWWIN.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.gpd	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\rdpbus.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dmdskres.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGX8T.GPD	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\bitsadmin.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\comexp.msc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYW7QUR7.XML	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx624.ppd	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\logman.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP11.GPD	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\IPMIDrv.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netevbda.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ComputerDefaults.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-PremiumInboxGames-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1UI.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\streamci.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wiabr007.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\audiodev.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\cmutil.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DHCPQEC.DLL.MUI	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\hdwwiz.cpl.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_295.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA2.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\colorui.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\httpapi.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\adtschema.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Killbits-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\prnhp002.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\prnky306.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msieftp.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LA1311E3.PPD	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cleanmgr.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netr28x.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\bthprint.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\prngt004.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Program Files directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLIP.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\bin\j2pcsc.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\WMPDMC.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Windows directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\c9bdcf9e45459b60e542e8f270de0c52\Accessibility.ni.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\prnge001.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\System.ServiceModel.Install.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\sdiageng.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\en-US\bootfix.bin	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\verdana.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\BOD_CR.TTF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\prnrc302.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.2052.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml.84e525b7#\26111428db03f2a918b2deb8029871c4\System.Xml.Serialization.ni.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de\ComSvcConfig.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardFinish.ascx.resx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\sdiagschd.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Deployment.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.identitymodel.resources\3.0.0.0_es_b77a5c561934e089\System.IdentityModel.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\mui\0410\ipsecmonitor.CHM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\recycle.h1s	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiwmp\6.1.0.0__31bf3856ad364e35\ehiwmp.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Package_for_KB2534111~31bf3856ad364e35~amd64~~6.1.1.0.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\upcebi.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\mdmzyxlg.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.DurableInstancing.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.Build.xsd	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\DeviceInstallation.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_it_31bf3856ad364e35\PresentationCore.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml.Linq\164d9beb2bf9b6160593f915a2d9aa6d\System.Xml.Linq.ni.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\mui\0407\cmak_ops.CHM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\Tracking_Schema.sql	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfkc.nlp	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe.config	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Memory.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\mui\0407\tpmadmin.CHM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config.comments	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.Summary.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RPC.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RemoteAssistance.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\mui\040C\taskscheduler.CHM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Installer\30d3.msi	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\InstallUtil.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\e27ae693b6e71bb689ec66761a65901f\System.ServiceModel.ni.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\diagnostics\system\Device\TS_DeviceDisabled.ps1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\rdpbus.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Speech\Engines\SR\ja-JP\am031041.am	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\diagnostics\system\Power\en-US\Power_Troubleshooter.psd1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\corbeli.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\tahomabd.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Resources.Reader.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Help\mui\0407\authm.CHM	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\ESENT\040C\esentprf.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.h	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\UserProfiles.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\seguisym.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

pid	process
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description pid process

Token: SeShutdownPrivilege 2196 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	pid	process
Token: SeShutdownPrivilege	2196	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-54-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-55-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-56-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-58-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-59-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-60-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-61-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-62-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-63-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-64-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-65-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-66-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-68-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download
memory/2196-69-0x0000000000A60000-0x0000000000C1E000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads