7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57c

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
Size

115KB
MD5

fdbd9187b91a666ab3e3ceff5358aa50
SHA1

c70ed34621145a82502582a33e569ff9f93dee63
SHA256

7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57c
SHA512

6ec979e7aa6be5b5c5a94a9a557814aa55b97ed4cea70253cb6111c98e278829d3462bee620104466d5fce87dbad6c7667370a347895bbe809f64efcd491a61d
SSDEEP

768:0MusTIlZLwRcC5caQRZfOWH0bhAUjkUXCDl++rNmxuEyb1UhT3zNsTTcjK/:A2mZLQcC5ZQHX0FXYPrN7EVskI

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.25.2.129
Destination IP	62.155.255.16
Destination IP	212.185.252.73
Destination IP	212.185.253.70
Destination IP	217.5.97.137
Destination IP	193.193.144.12
Destination IP	194.25.2.130
Destination IP	194.25.2.129
Destination IP	195.20.224.234
Destination IP	212.7.128.162
Destination IP	212.185.252.136

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICQ Net = "C:\\Windows\\winlogon.exe -stealth"	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\q:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\i:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\k:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\m:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\n:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\o:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\t:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\u:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\v:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\e:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\g:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\h:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\j:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\w:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\x:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\y:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\z:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\l:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\r:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened (read-only)	\??\s:	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\ime\shared\res\Doom 3 Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\ACDSee 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Full album.mp3.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\RFC Basics Full Edition.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Smashing the stack.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Clone DVD 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Teen Porn 16.jpg.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Learn Programming.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Opera.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Dictionary English - France.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\RFC Basics Full Edition.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Opera.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Adobe Premiere 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Cracks & Warez Archive.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Cracks & Warez Archive.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Ahead Nero 7.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Porno Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Virii Sourcecode.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Microsoft Office 2003 Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\WinAmp 12 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\DivX 7.0 final.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\DivX 7.0 final.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\DivX 7.0 final.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Learn Programming.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Win Longhorn Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\The Sims 3 crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\ACDSee 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\E-Book Archive.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Ahead Nero 7.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Smashing the stack.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\XXX hardcore pic.jpg.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Adobe Photoshop 9 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Virii Sourcecode.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Adobe Premiere 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\WinAmp 12 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Serials.txt.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\XXX hardcore pic.jpg.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\How to hack.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Dark Angels.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\Serials.txt.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\res\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Doom 3 Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\WinXP eBook.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\Adobe Photoshop 9 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\SysWOW64\ime\shared\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\Lightwave SE Update.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File opened for modification	\??\c:\windows\syswow64\ime\shared\res\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\microsoft shared\ink\sl-si\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\translat\The Sims 3 crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\triedit\en-us\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\onenote.en-us\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\proofing.en-us\Teen Porn 16.jpg.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\publisher.en-us\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\textconv\es-es\Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\strtedge\Learn Programming.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fr-fr\Porno Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\triedit\Microsoft WinXP Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\triedit\fr-fr\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\x86\Dictionary English - France.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\quad\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\Adobe Photoshop 9 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\push\1000 Sex and more.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\msenv\publicassemblies\Doom 3 Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\msinfo\ja-jp\Adobe Premiere 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\cascade\Clone DVD 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\triedit\fr-fr\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\1000 Sex and more.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ko-kr\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sv-se\Dictionary English - France.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\1033\Star Office 8.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\journal\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\help\2052\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\textconv\ja-jp\Ulead Keygen.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\bluecalm\Microsoft WinXP Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\Star Office 8.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\uk-ua\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-cn\E-Book Archive.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-tw\1000 Sex and more.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\it-it\Norton Antivirus 2004.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\capsules\Cracks & Warez Archive.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\compass\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\vba\vba6\How to hack.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\sonora\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\Lightwave SE Update.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\it-it\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\stationery\Adobe Photoshop 9 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\vgx\How to hack.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\proof\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-tw\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\1000 Sex and more.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\strtedge\Dictionary English - France.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\vsta\pipeline.v10.0\hostsideadapters\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fi-fi\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\translat\enes\WinXP eBook.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\vsta\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-tw\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\huecycle\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\shatter\Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\compass\Ulead Keygen.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\vba\vba7\Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\level\WinAmp 12 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\triedit\fr-fr\Virii Sourcecode.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sk-sk\The Sims 3 crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\en-us\Smashing the stack.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\proof.es\Doom 3 Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\themes14\breeze\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\translat\arfr\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\triedit\Ulead Keygen.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files (x86)\windows media player\network sharing\Learn Programming.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\program files\common files\microsoft shared\ink\tr-tr\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_631f27f540ebcb53\Cracks & Warez Archive.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_631f27f540ebcb53\DivX 7.0 final.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-csharpcompilermsg_b03f5f7f11d50a3a_6.1.7600.16385_none_455b78e8a7236294\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\microsoft.csharp\Microsoft WinXP Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\Serials.txt.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\1000 Sex and more.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\Virii Sourcecode.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\Norton Antivirus 2004.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\Smashing the stack.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\E-Book Archive.rtf.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\Star Office 8.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\assembly\gac_32\microsoft.sharepoint.businessdata.administration.client\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_631f27f540ebcb53\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\Star Office 8.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\Microsoft Office 2003 Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\Best Matrix Screensaver.scr	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\Adobe Premiere 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\Clone DVD 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\Clone DVD 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\Win Longhorn Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\Dark Angels.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\Adobe Premiere 9.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\Magix Video Deluxe 4.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_netfx-csharp_compiler_cscomp_b03f5f7f11d50a3a_6.1.7601.17514_none_b61c47637a09ceac\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\Microsoft WinXP Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\Opera.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\Dictionary English - France.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\Norton Antivirus 2004.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\Clone DVD 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\Dark Angels.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c09c55124df2c34c\3D Studio Max 3dsmax.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_631f27f540ebcb53\Gimp 1.5 Full with Key.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\Microsoft WinXP Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\Windows Sourcecode.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\IE58.1 full setup.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\Opera.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\DivX 7.0 final.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-csharp_compiler_cscomp_b03f5f7f11d50a3a_6.1.7601.17514_none_fdc97e3a8e85f7b2\Visual Studio Net Crack.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\Opera.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\MS Service Pack 5.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\XXX hardcore pic.jpg.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\Keygen 4 all appz.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\WinAmp 12 full.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\Partitionsmagic 9.0.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\RFC Basics Full Edition.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\Full album.mp3.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\Lightwave SE Update.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\WinXP eBook.doc.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\Lightwave SE Update.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\Win Longhorn Beta.exe	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
File created	\??\c:\windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\Full album.mp3.pif	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe

C:\Users\Admin\AppData\Local\Temp\7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe
"C:\Users\Admin\AppData\Local\Temp\7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57cN.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\Adobe Photoshop 9 full.exe

Filesize
115KB

MD5
fdbd9187b91a666ab3e3ceff5358aa50

SHA1
c70ed34621145a82502582a33e569ff9f93dee63

SHA256
7469fdb9418086e86aec5b18a360fce050725e6003500304191a3048d77ef57c

SHA512
6ec979e7aa6be5b5c5a94a9a557814aa55b97ed4cea70253cb6111c98e278829d3462bee620104466d5fce87dbad6c7667370a347895bbe809f64efcd491a61d

Download Submit
memory/1904-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1904-10182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads