Overview
overview
10Static
static
513f8bb1af7...be.exe
windows7-x64
1049b84085b7...c6.exe
windows7-x64
10639a86559b...3d.exe
windows7-x64
10Счет �...15.scr
windows7-x64
3Счет �...08.scr
windows7-x64
3inquiry.scr
windows7-x64
9c0cf40b883...3a.exe
windows7-x64
8e49778d20a...73.exe
windows7-x64
8ПРЕТЕ...Я.scr
windows7-x64
5карто...я.scr
windows7-x64
5Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 20:50
Behavioral task
behavioral1
Sample
13f8bb1af7e80604416111a9e5508426df058e53eb2f096d110fd74f55f798be.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
300 seconds
Behavioral task
behavioral2
Sample
49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral3
Sample
639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral4
Sample
Счет и накладная/Накладная для 1736 от 26.08.2015.scr
Resource
win7-20240903-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral5
Sample
Счет и накладная/Счет на оплату от 26-08.scr
Resource
win7-20240903-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral6
Sample
inquiry.scr
Resource
win7-20240903-en
windows7-x64
17 signatures
300 seconds
Behavioral task
behavioral7
Sample
c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral8
Sample
e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral9
Sample
ПРЕТЕНЗИЯ.scr
Resource
win7-20240903-en
windows7-x64
5 signatures
300 seconds
General
-
Target
c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
-
Size
370KB
-
MD5
a890e2f924dea3cb3e46a95431ffae39
-
SHA1
35719ee58a5771156bc956bcf1b5c54ac3391593
-
SHA256
c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a
-
SHA512
664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162
-
SSDEEP
6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Deletes itself 1 IoCs
pid Process 768 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe" c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pipelines.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_do.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_join.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_split.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.XML c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2200t.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasic\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasic\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssession_details.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\about_BITS_Cmdlets.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_parameters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\CNC1731D.TBL c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\es-ES\lipeula.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WCN\de-DE\Add_a_device_or_computer_to_a_network_usb.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.ConsoleHost.dll-Help.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Variables.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\KYW7QUR3.XML c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf6x5u.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalN\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3390F.XML c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpcp6.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_format.ps1xml.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\desk.bmp" c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jre7\README.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1dcca05a6b534349\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Report.System.CPU.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_ISE.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a56cb41c8b19254a\erofflps.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8018a00683b41fc3\gadget.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Peacock.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Rules.System.Finale.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_hash_tables.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eff8b99e913299d2\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\ehome\es-ES\epgtos.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Performance.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1cc5c862844f35\Rules.System.NetDiagFramework.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_de-de_50055b598607d040\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\connectionmanager_dmr.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_script_blocks.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_logical_operators.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_escape_characters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_pssessions.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_en-us_19fef411813ba5c2\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.NetDiagFramework.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Finale.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.Disk.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_WS-Management_Cmdlets.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Psychedelic.jpg c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e3dcb0ba12aa17d7\Add_a_device_or_computer_to_a_network_usb.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3f3df03949ee7f98\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_CommonParameters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_prnca00c.inf_31bf3856ad364e35_6.1.7600.16385_none_ddc7f96bf68e339f\Amd64\CNBJ3150.TBL c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hpf4400t.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Redirection.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Return.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_job_details.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_WMI_Cmdlets.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eadf6b9fa9957fcd\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3aebdac123cc0c12\Add_a_device_or_computer_to_a_network_usb.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\servicing\Editions\HomeBasicEdition.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_65636ae46df69f6c\license.rtf c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_WS-Management_Cmdlets.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_join.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb3c5b6953d3caeb\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_escape_characters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_History.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_CommonParameters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fdbed0629f061767\Report.System.Wireless.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Reserved_Words.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_en-us_95d36ad13a0d3d1e\playready_eula.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Parsing.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_prompts.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_job_details.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_117bd8ffb46dd92c\Rules.System.Common.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Parsing.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Reserved_Words.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_prnca00i.inf_31bf3856ad364e35_6.1.7600.16385_none_e0fe66aa8d439e15\Amd64\CNBJ3410.TBL c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony.psd c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\hpmcpcp6.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_properties.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\Microsoft.PowerShell.Security.dll-Help.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Quoting_Rules.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Parsing.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pssessions.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Report.System.Configuration.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Rules.System.Configuration.xml c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_escape_characters.help.txt c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\ c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0" c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2344 wrote to memory of 768 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe 33 PID 2344 wrote to memory of 768 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe 33 PID 2344 wrote to memory of 768 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe 33 PID 2344 wrote to memory of 768 2344 c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe 33 PID 768 wrote to memory of 1884 768 cmd.exe 35 PID 768 wrote to memory of 1884 768 cmd.exe 35 PID 768 wrote to memory of 1884 768 cmd.exe 35 PID 768 wrote to memory of 1884 768 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe"C:\Users\Admin\AppData\Local\Temp\c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YCXBF.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309B
MD5c6973a52b7dd549a68cafbb66101bf8e
SHA13ce4ca3d03d759f2aa1af5f05438e69262711148
SHA25689574c6e2631ff3798ad11b94e78a6f60819a68259f853903595ed68fc5018d7
SHA5124943d044338a6a635e7d1eef2add5b40a3869d0b960e0e940b937194b4ecb10d5273122c6dcc98bbfb6c5ae9af089bc806632979c4425062bed40afff8cc3473