d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382

General

Target

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382
Sample

200206-yr9smta93e
SHA256

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382

Score

8^/10

persistence spreading trojan evasion

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Runs net.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops file in System32 directory 11233 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnle004.inf_loc	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_neutral_d225e15af1a594cd\mdmgl008.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBP1.DAT	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3X00T.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\mmcbase.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc309at.exp	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\webio.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYUD5100.GDL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA7000.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0021.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBDUP44.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\iphlpapi.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sqlsrv32.rll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\fa2bc0a6-8d4b-458a-85c8-2b8c72487513	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\ieuinit.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\dspcli.bin	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OK4350U5.PPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\wpdfs.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\WirelessNetworking-DL.man	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\wbem\p2p-mesh.mof	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\mdmrock3.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\BRCI08A.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\powrprof.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\netbtugc.exe.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\wbem\portabledeviceclassextension.mof	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\cli.mfl	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\ativcaxx.vp	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\avcstrm.sys	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\BthMtpEnum.sys	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\adtschema.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUASE-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\GENIBM9W.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7400t.gpd	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1403E3.PPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fdSSDP.mof	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\dvdupgrd.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\brmfcmdm.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBJ3150.TBL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_323.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wiadss.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\parport.sys	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS55006.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1401E3.PPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NCA8G.CMB	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1301E3.PPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.exp	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\wbem\tsmf.mof	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\KBDHE319.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\netiohlp.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\NlsData004b.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\KBDSYR1.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\SysWOW64\mfAACEnc.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_neutral_68988e550e69a417\netr7364.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.exp	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\prnrc00c.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

pid process

1416 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

pid	process
1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops file in Windows directory 54170 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_prnep00d.inf_31bf3856ad364e35_6.1.7600.16385_none_ae3f8d47fad9c2a7\Amd64\EP0NOJ8F.DXT	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_x86_common_files_microsoft_shared_msinfo_4536eb45a5f97101.cdf-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..cesframework-msctfp_31bf3856ad364e35_6.1.7600.16385_none_26d2511408a24b3e\msctfp.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\prnrc006.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_el-gr_01a8d0429953198b.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..ices-rdpsounddriver_31bf3856ad364e35_6.1.7601.17514_none_3cd0b72a58472307\rdpendp.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_6.1.7600.16385_none_325c9d528a9569f1\wizard.aspx.resx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_prnky004.inf_31bf3856ad364e35_6.1.7600.16385_none_3dd58b93065f62f8\Amd64\KYFS1030.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-v..r-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_193645c15614e3dd\mciavi32.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ehome\MediaRenderer\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photominfeature_31bf3856ad364e35_6.1.7600.16385_none_1bb49460b86b3cf5\PhotoMinFeature-ppdlic.xrm-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_de510ba10fac7008\Amd64\CNB_0289.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..lient-scheduled-adm_31bf3856ad364e35_6.1.7600.16385_none_67efddec4340e49d.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-font-truetype-laoui_31bf3856ad364e35_6.1.7600.16385_none_d02cc17733960c0e.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..nagedcodeassemblies_31bf3856ad364e35_6.1.7601.17514_none_d795ee2723afc5cc.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..ruetype-trebuchetms_31bf3856ad364e35_6.1.7600.16385_none_d9b57888a1592ef4\trebucit.ttf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\BRD331C.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_adpahci.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_88af6947356320a2.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\86fd874752b7cca432941e9f482c3590\System.Web.Entity.Design.ni.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..alservices-lsmproxy_31bf3856ad364e35_6.1.7601.17514_none_69b23aa9e1fce5a2.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..agegroup-vietnamese_31bf3856ad364e35_6.1.7600.16385_none_e08c498c812640a4.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\BRMF649W.GPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnrc007.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_e89267a95f4d4d65.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wpf-globaluserinterfacecf_31bf3856ad364e35_6.1.7600.16385_none_09f32bc9cd996ba2.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\prnca00c.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.mum	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_1838f2aad55063bb\machine.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_prnky008.inf_31bf3856ad364e35_6.1.7600.16385_none_3ff9d4676ad8549c\Amd64\KYTS300c.PPD	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\4bfa36696bef033cf7e33b1a092c8a0f\Microsoft.VisualC.ni.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-v..ure-filter-tvanalog_31bf3856ad364e35_6.1.7601.17514_none_c166a52b4e10314f\WSTPager.ax	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-u..odepowerservice-mof_31bf3856ad364e35_6.1.7600.16385_none_a1e4a4cdcf83cad8.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.resx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\nfs-servercore-repl.man	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_tr-tr_5f1dd1e45a1af0a7.cdf-ms	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_netfx-sbs_sys_enterprisesvc_dll_31bf3856ad364e35_6.1.7600.16385_none_60ffafae87253a03.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_b7dc3d9314539d96.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SampleContent-Ringtones-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_cxraptor_philipstuv1236d_ibv64.inf_31bf3856ad364e35_6.1.7600.16385_none_a8ba31d06eb5b68e\cxraphd_IBV64.sys	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22db18d94c8196e9\RW430Ext.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Catalogs\2042ee169431a6610136a72008545435f4ba01a602f9e652a3f04b319c822bce.cat	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\wbemprox.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_e086c887cd65eb8f\CL_LocalizationData.psd1	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-aparajita_31bf3856ad364e35_6.1.7601.17514_none_d123c185ad71f4d5_aparaj.ttf_789944a5	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmi-core-wbemcore-dll_31bf3856ad364e35_7.2.7601.16406_none_f991e73f17193a9b.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6495ad0e01284ea4\certcli.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\system_settings.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ehome-msdri_31bf3856ad364e35_6.1.7601.17514_none_c42ec687fee190a5.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_08c87ef420bd35f0.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.1.7601.17514_none_67224784fe4912e9\System.Workflow.Runtime.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netk57a.inf_31bf3856ad364e35_6.1.7600.16385_none_b67bb5081937ae73.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-u..rsalcrt-apifwd-win7_31bf3856ad364e35_6.1.7601.18972_none_4d8675c06cc24030\api-ms-win-crt-convert-l1-1-0.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\EnhancedStorage.adml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nap-oobsha_31bf3856ad364e35_6.1.7600.16385_none_efd8a9295d5adf69\msshavmsg.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_60ddc2a8a5ef6916.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b3a2fbec48d400a3.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_nvraid.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_880d3ce75d345caa.manifest	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5b98d9b84461de76\msinfo32.exe.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Title_Trans_Notes_PAL.wmv	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104\8514syst.fon	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_en-us_42bcad17bddd3828\label.exe.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Modifies service 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe

Drops file in Program Files directory 34897 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\ONENOTE_K_COL.HXK.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Java\jre7\lib\zi\America\Panama	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\GIFT.DPV.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04174_.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\EnterConvertFrom.cmd	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0318804.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrwbin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Verve.thmx.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\IACOM2.DLL.Email=[SupportOdveta@protonmail.com]ID=[CR7Z9BGTIP6LEJW].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops startup file 1 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops autorun.inf file 1 TTPs 1 IoCs

spreading trojan

Replication Through Removable Media

T1091

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops desktop.ini 261 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Admin\Contacts\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Public\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Admin\Downloads\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Public\Music\Sample Music\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Admin\Favorites\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Public\Downloads\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O8Q277BG\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Public\Documents\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Public\Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Public\Documents\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File deleted	C:\Users\Admin\Favorites\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Users\Admin\Documents\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 836	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 836 wrote to memory of 1100	836	cmd.exe	net.exe
PID 1100 wrote to memory of 1096	1100	net.exe	net1.exe
PID 1416 wrote to memory of 1872	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1872 wrote to memory of 364	1872	cmd.exe	net.exe
PID 364 wrote to memory of 2036	364	net.exe	net1.exe
PID 1416 wrote to memory of 2012	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 2012 wrote to memory of 1936	2012	cmd.exe	net.exe
PID 1936 wrote to memory of 2032	1936	net.exe	net1.exe
PID 1416 wrote to memory of 784	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 784 wrote to memory of 112	784	cmd.exe	net.exe
PID 112 wrote to memory of 288	112	net.exe	net1.exe
PID 1416 wrote to memory of 856	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 856 wrote to memory of 1120	856	cmd.exe	net.exe
PID 1120 wrote to memory of 1900	1120	net.exe	net1.exe
PID 1416 wrote to memory of 1932	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1416 wrote to memory of 848	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1416 wrote to memory of 1104	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1416 wrote to memory of 1112	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1112 wrote to memory of 1916	1112	cmd.exe	net.exe
PID 1916 wrote to memory of 1872	1916	net.exe	net1.exe
PID 1416 wrote to memory of 1948	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1948 wrote to memory of 2016	1948	cmd.exe	net.exe
PID 2016 wrote to memory of 1996	2016	net.exe	net1.exe
PID 1416 wrote to memory of 2040	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 2040 wrote to memory of 240	2040	cmd.exe	net.exe
PID 240 wrote to memory of 1356	240	net.exe	net1.exe
PID 1416 wrote to memory of 316	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 316 wrote to memory of 852	316	cmd.exe	netsh.exe
PID 1416 wrote to memory of 1908	1416	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1908 wrote to memory of 1696	1908	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
"C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Drops file in Program Files directory
- Drops startup file
- Drops autorun.inf file
- Drops desktop.ini
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies service
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies service
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-0-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download
memory/1416-1-0x0000000001410000-0x0000000001421000-memory.dmp

Filesize
68KB

Download
memory/1416-2-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads