agenda | efb2e91cc711557415c3c4650a314c01e46d0ddc62808032edc9fe4961ad06fa

General

Target

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Size

1.7MB
MD5

a72345f5a627a2c8222f71347a44b013
SHA1

595bf5761ec6eee55fb291cb465736bbbb4bfcf8
SHA256

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
SHA512

5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482
SSDEEP

24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg

Score

10^/10

agenda ransomware spyware stealer

Malware Config

Extracted

Family

agenda

Attributes

company_id
feGDg5BHWw
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:

rsa_privkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Drops file in Drivers directory 21 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveEnable.tiff	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops startup file 1 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Loads dropped DLL 2 IoCs

Processes:

OfficeClickToRun.exe

pid process

1260 OfficeClickToRun.exe
1260 OfficeClickToRun.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1260	OfficeClickToRun.exe
1260	OfficeClickToRun.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description ioc process

File opened (read-only) \??\F: 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened (read-only)	\??\F:	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in System32 directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ja-JP\wmiprop.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\P6DISP.GPD	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Containers-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\urschipidea.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\c_camera.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\icsunattend.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\winver.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\ServDeps.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\netnccim_uninstall.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA364xp.bin	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\MSxpsPCL6.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\windows.internal.shellcommon.TokenBrokerModal.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\authfwgp.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\rdpbus.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\1394.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\KBDTIFI.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.WiFiDirect.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpace.inf_amd64_5e0fbd01da4f7c7b\mdmpace.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\F12\ja-JP\F12Platform2.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\mfc110chs.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\xml.xsl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\biwinrt.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dot3gpui.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\net1yx64.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI\cdosys.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\machine.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\iprtrmgr.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataAdapter.ps1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ksfilter.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\sisraid4.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\iscsidsc.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\stdole2.tlb	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\VhdProvider.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\DMRCDecoder.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\c_sensor.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\TetheringService.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\storagewmi_passthru_uninstall.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcNetworkSettingTask_v1.0.cdxml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\nett4x64.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsundelete.inf_amd64_741f159cc6ce7814\c_fsundelete.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.004	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Program Files directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-32.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\StorMDL2.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jdwp.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-125.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\DefaultResourceDictionary.xaml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sq.pak	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\msvcp140_2_app.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Windows directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsData0011.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_cht4sx64.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_b842c4caa709c970\cht4sx64.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-inputprocessors_31bf3856ad364e35_10.0.19041.746_none_783ec1d1dc7110ea\r\MtfDecoder.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_40c2e17b359e3072\pegi-pt.rs.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\loader.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-containers-ccg_31bf3856ad364e35_10.0.19041.844_none_3a7392af5414371e\r\CCG.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\_ServiceModelServicePerfCounters_D.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devicepropertymanager_31bf3856ad364e35_10.0.19041.1_none_72d9172d5ef89c93\DevPropMgr.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_10.0.19041.1_none_b6b7b206d4b9d895\fc.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..ion-winrt.resources_31bf3856ad364e35_10.0.19041.1_es-es_393729fea530ed2c\Geolocation.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Msix.PackagingTool.Driver~~1.0.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_f35f24d895a538f3\mdmirmdm.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-core_31bf3856ad364e35_10.0.19041.1_none_ecc5d2879c840ab0\C_28593.NLS	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_de-de_ace462250daf2aaa\OfflineFilesWmiProvider_Uninstall.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\athw8x.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Reliability.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-msmq-dcomproxy-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..-management-onecore_31bf3856ad364e35_10.0.19041.844_none_97ef5f6f3319407d\f\EnterpriseAppMgmtSvc.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol_31bf3856ad364e35_10.0.19041.1202_none_881548dfbfc9556a\moshost.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\Splashscreen.scale-80.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\35e71ddd80b7908e1a8311173ffd6ff1\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_54a14e6536c93ad6\certmgr.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-credwiz.resources_31bf3856ad364e35_10.0.19041.1_it-it_52a08bbc2d12c4bd\credwiz.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-inkfree_31bf3856ad364e35_10.0.19041.1081_none_87beae98bb645f2f\f\Inkfree.ttf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..cementmanifests-com_31bf3856ad364e35_10.0.19041.1_none_6de2419ac25e4592\Microsoft.Windows.COM.DTC.Setup-Replacement.man	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_displayoverride.inf_31bf3856ad364e35_10.0.19041.1_none_323aab02875f9703\displayoverride.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_megasr.inf_31bf3856ad364e35_10.0.19041.1_none_f8e752cd83d0ece6\megasr.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1031\admin.chm	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\W32Time.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Sessions\31042989_955721364.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalaccount-page.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..stencemigration-net_31bf3856ad364e35_10.0.19041.1_none_61a1cf633b14d3fb\NetworkConnectivityStatus.psd1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-inetres-adm.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_8850b30f44f96c52\InetRes.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..owershell.resources_31bf3856ad364e35_10.0.19041.1_it-it_0314a2ee86868645\Microsoft.Msmq.Powershell.Commands.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Web.Services.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_usbvideo.inf_31bf3856ad364e35_10.0.19041.1202_none_27bd1529e8f0be36\r\SecureUSBVideo.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-eapteap_31bf3856ad364e35_10.0.19041.1081_none_969160880ebb6db2\EapTeapAuth.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f...appxmain.resources_31bf3856ad364e35_10.0.19041.1_es-es_04e1d3ef9ccc345c\resources.es-ES.pri	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe.config	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001045a_31bf3856ad364e35_10.0.19041.1_none_559a5c8fe877b6b3\KBDSYR2.DLL	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ityuxhost.resources_31bf3856ad364e35_10.0.19041.1_it-it_01ac3dde909aa629\ProximityUxHost.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.TextToSpeech~zh-hk~1.0.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_machine.inf_31bf3856ad364e35_10.0.19041.1202_none_8111a792f090a2a2\f\machine.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-worker-events_31bf3856ad364e35_10.0.19041.1_none_d605c8ca8c7160ff\vmwpevents.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_machine.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_29ce672f4aa92c51\machine.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-manager_31bf3856ad364e35_10.0.19041.1202_none_f31e7d867ff69c65\f\LxssManager.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..r-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d37d97b57b0df97\wpnprv.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\SqlWorkflowInstanceStoreLogic.sql	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_a08116a658dd8d53\iastorav.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084\authui.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mfplat.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba98ab56d5cc48bb\mfplat.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\net7400-x64-n650.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Data.OracleClient.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\wlansvc.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-accountscontrol-api_31bf3856ad364e35_10.0.19041.264_none_5042c4d9e97545f8\r\Windows.AccountsControl.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-choice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7e143e46b9f0aeac\choice.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ment-policytools-ex_31bf3856ad364e35_10.0.19041.1_none_0f506321e073254e\Security Configuration Management.lnk	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Boot\EFI\kd_02_14e4.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

pid	process
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1992	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

1260 OfficeClickToRun.exe

pid	process
1260	OfficeClickToRun.exe

C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
Filesize
230KB

MD5
2fc4d42f568c9fee6e069f7ea46d5cc0

SHA1
318429f05909b5d4097c2840d64029bc76d08d0f

SHA256
f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

SHA512
8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
Filesize
486KB

MD5
c9dab12378f3f914ed34c23494ce74c0

SHA1
69c14443b2ebb2f1e726243288aab1d12b97db37

SHA256
18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705

SHA512
150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

Download Submit
memory/1992-135-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-136-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-137-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-138-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-139-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-141-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-142-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-143-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-144-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-145-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download
memory/1992-146-0x0000000000B00000-0x0000000000CBE000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads