Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/06/2024, 14:16
240625-rk7rzaxfnl 825/06/2024, 14:12
240625-rh4yasvbkd 425/06/2024, 14:09
240625-rf6dcavajh 325/06/2024, 14:05
240625-rdz4jsxcjq 3Analysis
-
max time kernel
615s -
max time network
616s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
Eclipse IDE for Java Developers - 2021-12.lnk
Resource
win7-20240508-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
Eclipse IDE for Java Developers - 2021-12.lnk
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
Eclipse IDE for Java Developers - 2021-12.lnk
-
Size
983B
-
MD5
ec646032b10ae10d5563116c3df8a05b
-
SHA1
1cb70a9ea2722560a2d3584be4a1a5b1c7afee1e
-
SHA256
609ea91e7738bfb4d80edbb7deeb77ba075ce7bd153aeade7939e917ac20500c
-
SHA512
07d7cfc50c2176c733485564338485e286be18d7c4d5ffd6158322196928d7c0bf4fea35d97dbe56f28712a5835a445e531fa9b6ad8d55c7cb07ac2dea35bae9
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\de-DE\modem.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\cdrom.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\ndis.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\HdAudio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\msisadrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\msdsm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\disk.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\dxgmms1.sys cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\tpm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\raspppoe.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\hdaudbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\vdrvroot.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\volmgrx.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\ataport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\WdfLdr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\pacer.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\bfe.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pscr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\NV_AGP.SYS.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\battc.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\usbport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\kbdclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\rdvgkmd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\ohci1394.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\sermouse.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\pcmcia.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\hidbth.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\udfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\scsiport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\stream.sys cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\cdrom.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\fltmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\HdAudio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\BTHUSB.SYS.mui cmd.exe File opened for modification C:\Windows\System32\drivers\es-ES\sermouse.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\mouclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\irda.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\BrSerIb.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\UAGP35.SYS.mui cmd.exe File opened for modification C:\Windows\System32\drivers\smclib.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tdx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fr-FR\scsiport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\Wdf01000.sys cmd.exe File opened for modification C:\Windows\System32\drivers\portcls.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\tpm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\serscan.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mouhid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pcmcia.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fltMgr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\umbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\vdrvroot.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\it-IT\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\bthpan.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mcd.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ja-JP\fltmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mrxsmb.sys cmd.exe File opened for modification C:\Windows\System32\drivers\de-DE\pci.sys.mui cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\System32\wintrust.dll cmd.exe File opened for modification C:\Windows\SysWOW64\wintrust.dll cmd.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe -
Deletes itself 1 IoCs
pid Process 2660 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 51 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\AM1464~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AME009~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC003~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM15B7~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM0112~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM281C~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM1B18~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM9AF0~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC04C~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM425B~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM71C7~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5043~1.164\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCCDB~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB8AA~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM50D0~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMC0AD~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM6927~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMA45F~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM076B~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFF91~1.164\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCA4A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB6BD~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM3A5B~1.175\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AME19A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM131F~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM0353~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM7B95~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFA6B~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM2971~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5C97~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM5CD3~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM0FD6~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMD694~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMEE05~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM814E~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM989B~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM2473~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM082E~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMB428~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFD52~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMDF32~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMEEEB~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM9934~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMAB03~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMCF3A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM912A~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\assembly\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM3E43~1.175\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AM28D3~1.163\desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMF946~1.163\Desktop.ini cmd.exe File opened for modification C:\Windows\winsxs\AMFB84~1.175\Desktop.ini cmd.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DRIVER~1\fr-FR\multiprt.inf_loc cmd.exe File opened for modification C:\Windows\System32\ja-JP\urlmon.dll.mui cmd.exe File opened for modification C:\Windows\System32\WINDOW~1\v1.0\en-US\about_Return.help.txt cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\iscsirem.mof cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\en-US\prnrc006.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\hpoa1ss.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\keyboard.inf_loc cmd.exe File opened for modification C:\Windows\System32\winrs.exe cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\PRNRC0~4.INF\Amd64\RIA8000.GPD cmd.exe File opened for modification C:\Windows\System32\wbem\win32_encryptablevolume.mof cmd.exe File opened for modification C:\Windows\SysWOW64\C_20107.NLS cmd.exe File opened for modification C:\Windows\SysWOW64\en-US\MsCtfMonitor.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\oleres.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HOMEPR~3\license.rtf cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\PRNTS0~2.INF\Amd64\tsmxbman.gpd cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\scrnsave.scr.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\AdmTmpl.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\powercfg.cpl.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~2.INF\Amd64\hpoa430t.exp cmd.exe File opened for modification C:\Windows\System32\es-ES\tzres.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\pegi.rs.mui cmd.exe File opened for modification C:\Windows\System32\sysprep\sysprep.exe cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\fr-FR\circlass.inf_loc cmd.exe File opened for modification C:\Windows\System32\PRINTI~1\en-US\prnjobs.vbs cmd.exe File opened for modification C:\Windows\System32\de-DE\MSWMDM.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\wevtutil.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\C_28599.NLS cmd.exe File opened for modification C:\Windows\SysWOW64\DRIVER~1\fr-FR\netpgm.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\WIACN0~1.INF\CNHW730S.DLL cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\ja-JP\bth.inf_loc cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\winsockhc.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\license.rtf cmd.exe File opened for modification C:\Windows\SysWOW64\en-US\winbio.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\certcli.dll.mui cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI6518~1.EVT cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\certmgr.msc cmd.exe File opened for modification C:\Windows\SysWOW64\WINDOW~1\v1.0\de-DE\about_debuggers.help.txt cmd.exe File opened for modification C:\Windows\System32\it-IT\dcomcnfg.exe.mui cmd.exe File opened for modification C:\Windows\System32\MuiUnattend.exe cmd.exe File opened for modification C:\Windows\System32\wbem\es-ES\wmipdskq.mfl cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\csrss.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\KBDBGPH.DLL cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\PRCE03~1.INF\Amd64\EP0NGE8H.GPD cmd.exe File opened for modification C:\Windows\SysWOW64\tcpmonui.dll cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~4.INF\Amd64\hpf4400t.gpd cmd.exe File opened for modification C:\Windows\System32\wbem\en-US\wmipcima.mfl cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\gpresult.exe.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\runonce.exe.mui cmd.exe File opened for modification C:\Windows\System32\inetcomm.dll cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\MDF665~1.INF\mdmnttp.PNF cmd.exe File opened for modification C:\Windows\System32\en-US\pcaevts.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\fr-FR\l3codeca.acm.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\WIAXX0~1.INF\wiaxx002.inf cmd.exe File opened for modification C:\Windows\System32\ddrawex.dll cmd.exe File opened for modification C:\Windows\System32\NlsLexicons0022.dll cmd.exe File opened for modification C:\Windows\SysWOW64\it-IT\connect.dll.mui cmd.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\whqlprov.mfl cmd.exe File opened for modification C:\Windows\System32\fr-FR\fsmgmt.msc cmd.exe File opened for modification C:\Windows\System32\migwiz\REPLAC~1\gameuxmig-Replacement.man cmd.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wlansvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\fwcfg.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\es-ES\WceISVista.inf_loc cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\WSTORV~1.INF\wstorvsc.inf cmd.exe File opened for modification C:\Windows\System32\en-US\napipsec.dll.mui cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
description ioc Process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\mshwLatin.dll cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\System\ado\it-IT\msader15.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\settings_divider_left.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\Garden.jpg cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\en-US\WMPDMC.exe.mui cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\WindowsFormsIntegration.resources.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\13.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.Xml.Linq.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\drag.png cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\es-ES\msinfo32.exe.mui cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\STATIO~1\GreenBubbles.jpg cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\es-ES\js\clock.js cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyGirl\16_9-frame-image-mask.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Scenes_LOOP_BG.wmv cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\trad.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\144DPI\(144DPI)alertIcon.png cmd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Onix32.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\es-ES\js\weather.js cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\PresentationCore.resources.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_rainy.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\timer_down.png cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_jpn.xml cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\it-IT\js\currency.js cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\de-DE\js\slideShow.js cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\weather.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\graph_down.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\circleround_glass.png cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\en-US\iedvtool.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\MEDIAR~1\DMR_48.jpg cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\it-IT\sqloledb.rll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\en-US\gadget.xml cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\js\weather.js cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\msadc\it-IT\msadcor.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\RSSFEE~1.GAD\ja-JP\RSSFeeds.html cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-new.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\39.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\play-background.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Data.Linq.Resources.dll cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\es-ES\css\cpu.css cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\btn_search_over_BIDI.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\clock.html cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\mshwgst.dll cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\NextMenuButtonIcon.png cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\SLIDES~1.GAD\images\blank.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\VIRTUA~1\en-US\WelcomeFax.tif cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\en-US\rtscom.dll.mui cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\es-ES\InkObj.dll.mui cmd.exe File opened for modification C:\PROGRA~2\WI54FB~1\en-US\setup_wm.exe.mui cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ielowutil.exe cmd.exe File opened for modification C:\PROGRA~1\WINDOW~1\it-IT\msoeres.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\de-DE\css\calendar.css cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\Images\11.png cmd.exe File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\es-ES\js\highDpiImageSwap.js cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\es-ES\css\clock.css cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\flower_s.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\es-ES\urgent.cov cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Heart_ButtonGraphic.png cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\ja\UIAutomationTypes.resources.dll cmd.exe File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\PresentationBuildTasks.dll cmd.exe File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\system_h.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\DEVICE~1\Device\{11352~1\overlay.png cmd.exe File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\BabyBoyMainBackground.wmv cmd.exe File opened for modification C:\PROGRA~2\COMMON~1\System\en-US\wab32res.dll.mui cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSScan\WelcomeScan.jpg cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Media\AFTERN~1\Windows Logoff Sound.wav cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\PABE87~1.CAT cmd.exe File opened for modification C:\Windows\winsxs\AM181E~1.163\ACPI~1.INF cmd.exe File opened for modification C:\Windows\winsxs\AM301F~1.163\lsi_sas2.sys cmd.exe File opened for modification C:\Windows\winsxs\AM8CD5~1.163\DSQUER~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM33C5~1.163\ENHANC~1.ADM cmd.exe File opened for modification C:\Windows\winsxs\AMFBE6~1.163\settings.css cmd.exe File opened for modification C:\Windows\winsxs\AM1CC8~3.163\LOGON~1.ADM cmd.exe File opened for modification C:\Windows\winsxs\Backup\AMF033~1.TTC cmd.exe File opened for modification C:\Windows\winsxs\AM1222~2.163\TVRATI~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM6B33~1.163\printp.h1s cmd.exe File opened for modification C:\Windows\winsxs\AM22EE~2.163\touch.h1s cmd.exe File opened for modification C:\Windows\winsxs\AM8721~1.163\MDMBR0~1.INF cmd.exe File opened for modification C:\Windows\winsxs\AM65CF~1.163\Amd64\HPZSTW71.DLL cmd.exe File opened for modification C:\Windows\winsxs\Backup\X8ABE2~1.MUI cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\JA\System.DirectoryServices.Protocols.resources.dll cmd.exe File opened for modification C:\Windows\winsxs\AM1BB8~1.163\artcon3.h1s cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\Search\DiagPackage.diagpkg cmd.exe File opened for modification C:\Windows\winsxs\AMED36~1.163\502.htm cmd.exe File opened for modification C:\Windows\winsxs\AMA58E~1.175\SY8FC3~1.DLL cmd.exe File opened for modification C:\Windows\winsxs\AMDEDB~2.163\PDHDLL~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM35BB~1.163\wmipdskq.mof cmd.exe File opened for modification C:\Windows\winsxs\AM0E99~1.163\COMCTL~1.MUI cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MIFE9B~1.CAT cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MI4C04~1.MUM cmd.exe File opened for modification C:\Windows\winsxs\AM05D4~1.163\SHGINA~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AMBA8A~1.163\QUSERE~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AME71F~1.163\SMTPSE~1.ASP cmd.exe File opened for modification C:\Windows\Help\Windows\en-US\printp.h1s cmd.exe File opened for modification C:\Windows\winsxs\AM15B7~1.163\WI97B3~1.WAV cmd.exe File opened for modification C:\Windows\winsxs\AM1E7B~1.163\DROPSQ~1.SQL cmd.exe File opened for modification C:\Windows\DIAGNO~1\system\NETWOR~1\es-ES\LocalizationData.psd1 cmd.exe File opened for modification C:\Windows\winsxs\AMAA6A~1.163\HDAUDB~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AMF623~1.163\DOCUME~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AME324~1.163\comp.exe cmd.exe File opened for modification C:\Windows\winsxs\AM5C97~1.163\WI56D1~1.WAV cmd.exe File opened for modification C:\Windows\Help\mui\0C0A\odbcjet.chm cmd.exe File opened for modification C:\Windows\winsxs\Backup\AMB086~1.DLL cmd.exe File opened for modification C:\Windows\inf\SERVIC~2.0\0407\_ServiceModelServicePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\winsxs\AMAF11~1.163\IASRAD~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM93CD~1.163\CNBBR3~3.MUI cmd.exe File opened for modification C:\Windows\SERVIC~1\Packages\MIE9B6~2.MUM cmd.exe File opened for modification C:\Windows\winsxs\AM6D60~2.163\NAVIGA~2.PNG cmd.exe File opened for modification C:\Windows\winsxs\AM2274~1.163\Amd64\RIA11006.GPD cmd.exe File opened for modification C:\Windows\Media\Sonata\Windows Feed Discovered.wav cmd.exe File opened for modification C:\Windows\winsxs\AM9D98~2.163\DISKSY~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM2288~1.175\license.rtf cmd.exe File opened for modification C:\Windows\Speech\Engines\SR\fr-FR\l1036.mllr cmd.exe File opened for modification C:\Windows\POLICY~1\WinCal.admx cmd.exe File opened for modification C:\Windows\winsxs\AM5DA1~1.163\C_28594.NLS cmd.exe File opened for modification C:\Windows\winsxs\AMA5E5~1.175\RS_DIS~1.PSD cmd.exe File opened for modification C:\Windows\winsxs\AMC4D0~1.163\PRNLX0~1.INF cmd.exe File opened for modification C:\Windows\BITLOC~1\ar-SA_BitLockerToGo.exe.mui cmd.exe File opened for modification C:\Windows\Help\Windows\fr-FR\network.h1s cmd.exe File opened for modification C:\Windows\winsxs\AM9334~1.175\KBDHID~1.MUI cmd.exe File opened for modification C:\Windows\POLICY~1\en-US\RemovableStorage.adml cmd.exe File opened for modification C:\Windows\winsxs\AM80A0~1.163\CTTUNE~1.MUI cmd.exe File opened for modification C:\Windows\winsxs\AM1B7C~1.175\snmpincl.dll cmd.exe File opened for modification C:\Windows\winsxs\AMC96B~1.163\Amd64\KOC31PPU.PPD cmd.exe File opened for modification C:\Windows\winsxs\AM43E3~1.163\DIAGPA~1.DIA cmd.exe File opened for modification C:\Windows\winsxs\Backup\AM230E~1.MAN cmd.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\fr\System.Messaging.Resources.dll cmd.exe File opened for modification C:\Windows\winsxs\AME692~1.175\MICROS~1.PTX cmd.exe File opened for modification C:\Windows\winsxs\AMA58E~1.175\CASPOL~1.DLL cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 760 AUDIODG.EXE Token: 33 760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 760 AUDIODG.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Eclipse IDE for Java Developers - 2021-12.lnk"1⤵PID:1224
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Deletes itself
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
PID:764