Analysis
-
max time kernel
97s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Resource
win10v2004-20241007-en
General
-
Target
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
-
Size
92KB
-
MD5
d106182df886d6340d51e8c210d1c820
-
SHA1
7202edae2957b238d19fc1c1646f6a0542ea8b20
-
SHA256
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51
-
SHA512
a4fb0d308cc5c2f053cded92cb9e853d0087483c0bd055284f5a819eec7371c19e8d2a7f170796439ccdd0c07c7329166ca62f7e41c9a36b1f8e2a83105eee36
-
SSDEEP
768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSds:41bC4Bk6lMTOWw4PkRAPo5
Malware Config
Signatures
-
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\gm.dls d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\gmreadme.txt d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\wimmount.sys d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\wintrust.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\I618Z2Y3\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\691RDNCS\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Media\Delta\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Nature\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Media\Quirky\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Media\Characters\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Downloaded Program Files\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Media\Heritage\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Characters\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Fonts\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Scenes\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\de-DE\dhcpcmonitor.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\LME238.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA2.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SystemRestore-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\KBDFR.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\deskperf.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\dot3api.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\tsgqec.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\IME\IMESC5\applets\PINTLCSA.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14af.bcm d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\dlmanifests\IPSec-Svc-DL.man d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasic\license.rtf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBX0282.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\ICacls.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYEPC270.PPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\NlsLexicons0022.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\wsdchngr.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\msident.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\cmdl32.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\apds.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA4000.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\zh-CN\mlang.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\replacementmanifests\International-core-replacement.man d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\CertEnrollCtrl.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\mdmatm2k.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\mfc120rus.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\wbem\fr-FR\WinMgmt.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\rstrui.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\mdmadc.inf_amd64_neutral_62d6e6995428f9d0\mdmadc.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~sk-SK~7.1.7601.16492.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\DeviceProperties.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\it-IT\netr28x.inf_loc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBP0.DAT d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\wlanmm.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-PremiumInboxGames-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\xpsservices.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\wbem\WmiApRpl.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\odbcji32.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\fr-FR\prnge001.inf_loc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\net1qx64.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\colbact.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\C_1145.NLS d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\xwtpdui.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\sppui\migrate.obe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Autofmt.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJOP79.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF21553.PPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS11006.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\msfeeds.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\dot3dlg.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\ep0icn3.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\wsecedit.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LRC3000.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\prnca00f.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_neutral_be11b7aaa746e92d\vsmraid.sys d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\eventvwr.msc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\WinSATAPI.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\System32\DriverStore\ja-JP\prnlx00z.inf_loc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\SysWOW64\prevhost.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcor.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\logo.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Newsprint.thmx d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296277.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_51ca5bff2bd5ec5a.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_wsdprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8855223fb7fdd3ad\WSDPrint.inf_loc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_06ad83d3a41f6179\tpmcompc.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Common.Tasks d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_ja_31bf3856ad364e35\EventViewer.resources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891\WSManMigrationPlugin.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-themeui_31bf3856ad364e35_6.1.7601.17514_none_8706005e79c34246.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_prnep00b.inf_31bf3856ad364e35_6.1.7600.16385_none_ad2d68ddc89d49d5\Amd64\EP0NOE14.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Help\mui\0C0A\odbcinst.chm d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_prnky004.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7f40c439127c150d\kyw7fr03.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\FileMaps\$$_microsoft.net_framework_v3.0_windows_communication_foundation_de-de_ff55610c5aa742ef.cdf-ms d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_ec00c1a5c7ea2c14_msimsg.dll.mui_72e8994f d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8b9b2c861a43ad7f\ServiceModelInstallRC.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_prnlx00c.inf_31bf3856ad364e35_6.1.7600.16385_none_61df880994e05f17\Amd64\LXC540.PPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.1.7600.16385_none_d07272ee73dcea8e\AppConfigCommon.resx d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_45549abb8ab456cb\System.RunTime.Serialization.Resources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae938a6fa19883a8\connect.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-appman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_78726d038f779639.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\35.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bba5b68b615e448a.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aed344b7a40bffd5\psxss.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_prnsh002.inf_31bf3856ad364e35_6.1.7600.16385_none_222005b323ac4fef\Amd64\SHK11N04.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_es-es_54a63fc9155a6773\sppcommdlg.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7b1f128950226b23\PhotoViewer.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b2e7f4377ced572\prnqctl.vbs d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_wialx004.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_26af4b006b49e29d.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_wiaky002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a818ce0cb8f4c178\wiaky002.inf_loc d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\servicing\Packages\Package_for_KB2534111_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_mdmbr00a.inf_31bf3856ad364e35_6.1.7600.16385_none_d91ec149a48bafcf.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_prnky008.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6e3134dc8d98bce.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_aa93298fbb4246f2.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\inf\MSDTC Bridge 4.0.0.0\0001\_TransactionBridgePerfCounters.ini d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\ehome\de-DE\ehprivjob.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2f532ae9fb9e4611\SystemPropertiesPerformance.exe.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\cga40857.fon d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_83f9ba7f24518cb4.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\TableTextServiceMig.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_mdmbr007.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a516f5b8a0bc97e6.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..licytools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e383dccf8e63c5e8.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-d..how-other.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aa701a1653614cc1.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Windows.Presentation.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6a046e7c9ea9f564.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\webAdmin.master d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_83d8f4351bc45f0e\termmgr.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\wow64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_8dccf60889519373\imagehlp.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_en-us_1eb04467622ff377.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-eula.resources_31bf3856ad364e35_11.2.9600.16428_en-us_c6464ed8149df7fd.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3153a0d9a132d2c6.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e84d205c49812ab9\Microsoft.PowerShell.ConsoleHost.Resources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_7ef3cefb236b12db.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7f70b4ccfb52f253.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\servicing\Packages\Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\amd64_prnep00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_233d25c52587ac45.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\Media\Raga\Windows Error.wav d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_114c52d204a5e41d\DataSvcUtil.resources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\servicing\Packages\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-wfplwf_31bf3856ad364e35_6.1.7600.16385_none_581185b3683f7a8f\wfplwf.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_objects.help.txt d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-help-basics2.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8e2454b13c9536de\basics2.h1s d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\FileMaps\$$_syswow64_speech_engines_sr_fr-fr_f80abcc1ac7cce47.cdf-ms d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d1b313649d44cf6c\mstscax.mfl d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\winsxs\Manifests\x86_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_de-de_38b9d7d80c1f636f.manifest d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2700 d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe"C:\Users\Admin\AppData\Local\Temp\d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1