Analysis
-
max time kernel
143s -
max time network
269s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
11-02-2020 15:13
Static task
static1
Behavioral task
behavioral1
Sample
8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
General
-
Target
8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe
-
Size
1.7MB
-
MD5
3f4181968baaf480a628d522c14cee75
-
SHA1
0cfbe9d8a205fa528c00c96253ff309ab666ee90
-
SHA256
8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351
-
SHA512
319332107b9da31aaa752dc75d5291c80668c204be2b6f0a3d31d4a48428bdccd5dcc7787678eb003fbb3d61af5245ea0d8c87b343cbaf77877e5f0c49e69db4
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
80.82.69.52 - Port:
21 - Username:
admin - Password:
asmodeusasmodeus
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Executes dropped EXE 2 IoCs
pid Process 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 2008 Synaptics.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameUnregister.tiff ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
resource yara_rule behavioral1/files/0x0003000000012fb9-5.dat office_macros behavioral1/files/0x00020000000129cc-28.dat office_macros -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Loads dropped DLL 3 IoCs
pid Process 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FY0LK93E\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F0PWNRM0\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\Pictures\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Public\Downloads\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Public\Libraries\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\$Recycle.Bin\S-1-5-21-1774239815-1814403401-2200974991-1000\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6Y38LIXE\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Fonts\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\Searches\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FY0LK93E\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\Favorites\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6Y38LIXE\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1774239815-1814403401-2200974991-1000\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files (x86)\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Admin\Contacts\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Users\Public\Documents\desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 7 http://www.sfml-dev.org/ip-provider.php -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\en-US\netpacer.inf_loc ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\netbvbda.PNF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3500t.xml ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\msacm32.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\wdi\perftrack\DiagCpl.Events.ptxml ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\drt.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr007.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmadc.inf_amd64_neutral_62d6e6995428f9d0\mdmadc.PNF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brci08b.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOJ7J.DXT ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\wdi\perftrack\HealthCenterCPLInstrumentation.ptxml ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\SearchFolder.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZIPT12.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\WinSyncMetastore.rll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\NlsData0003.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\hidirkbd.PNF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NIP47.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\mswstr10.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\IMJP10.IME ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnkm003.inf_loc ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl06.bin ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM240C.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM850CD.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA8.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7500t.exp ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\LME330.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\inetcomm.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\iscsidsc.mfl ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\license.rtf ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBJOP89.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LRC30006.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA16006.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc350.gpd ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\advapi32.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\msdtcstp.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\MP4SDECD.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\wshbth.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\amdsata.sys ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00g.inf_amd64_neutral_2926840e245f88f6\Amd64\EP0NGL8R.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\odpdx32.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\msxml6.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brci08b.ini ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\Amd64\RICM3000.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1312E3.PPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\cmstplua.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\msaudite.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterN\license.rtf ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\wer.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\sounds-migration-replacement.man ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\grpconv.exe ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\ph3xibc5.PNF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO0410T.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LALD1903.PPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\C_20838.NLS ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IF23166.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHK1N001.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\CNHLX700.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\en-US\dinput.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Ldap-Client-DL.man ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzscw72.dtd ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\7-Zip\History.txt ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ADDINS\otkloadr_x64.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Christmas.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\EQUATION\eqnedt32.exe.manifest.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSACCESS_COL.HXT ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\IPEDINTL.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\SplashScreen.bmp ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jre7\lib\zi\America\Atikokan.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jre7\COPYRIGHT.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\BHOINTL.DLL.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\WINWORD.HXS ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\BZCARD11.POC ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File created C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0090070.WMF.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.Email=[[email protected]]ID=[9DYMVNQ3FR0KPUI].odveta ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Globalization\ELS\Transliteration\Hans-To-Hant.nlt ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_ntprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_642cb92a2b3141e5\PSCRIPT5.DLL.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_prnlx00c.inf_31bf3856ad364e35_6.1.7600.16385_none_61df880994e05f17\prnlx00c.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_syswow64_en-us_licenses_eval_ultimaten_c0bcccddfce3245d.cdf-ms ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.mum ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..nents-mdac-msdadiag_31bf3856ad364e35_6.1.7600.16385_none_ba9155a54beaf1c2\msdadiag.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d1256a4a3c8105f9_duser.dll.mui_3c369ac4 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..c-drivermanager-dll_31bf3856ad364e35_6.1.7601.17514_none_6e58b7a90098ae0f.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\e7b8df5d803bb9bd27f63f0074775aaf\Microsoft.MediaCenter.UI.ni.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Help\mui\0409\sqlsodbc.chm ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-help_31bf3856ad364e35_6.1.7600.16385_none_cdfd15e4a5a167d0\IMJPDTE.CHM ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Shutdown.wav ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.1.7600.16385_none_fdde508273949e1f\avantgo.browser ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-privstatement_31bf3856ad364e35_6.1.7600.16385_none_a7b72a0cb45258cb.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnathlp.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_prnin004.inf_31bf3856ad364e35_6.1.7600.16385_none_122e6271fec9f455\Amd64\INISC203.PPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_prnkm003.inf_31bf3856ad364e35_6.1.7600.16385_none_50766fcc42797a9b\prnkm003.inf ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_prnnr003.inf_31bf3856ad364e35_6.1.7600.16385_none_b9a40efcdf84f11b\Amd64\NR35006.GPD ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_prnrc002.inf_31bf3856ad364e35_6.1.7600.16385_none_20d55c335c54951d\prnrc002.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..tional-codepage-720_31bf3856ad364e35_6.1.7600.16385_none_2ae4fd74b4dd3f24.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\settings.css ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20106_31bf3856ad364e35_6.1.7600.16385_none_ad57d8af006e8f60\C_20106.NLS ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..essprotection-agent_31bf3856ad364e35_6.1.7601.17514_none_64be3a8d04208144\NAPCLIENTSCHEMA.MOF ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..latform-input-proxy_31bf3856ad364e35_6.1.7601.17514_none_17df77c92191ecec\tpcps.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_ph3xibc2.inf_31bf3856ad364e35_6.1.7600.16385_none_9ce1cbd196843daf\Ph3xIB64MV.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_7d8982db6f41dca8.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.mum ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img15.jpg ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_6.1.7600.16385_none_5b3be3e0926bd543.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_9a34be91b5863879.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_pt-br_21b8020a9fb81040\FntCache.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00011809_31bf3856ad364e35_6.1.7600.16385_none_e9dac4a76e3682ef\KBDGAE.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-opticalmediadisc-api_31bf3856ad364e35_6.1.7601.17514_none_14133f190e6d86a7\sonicsptransform.ax ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-u..rsalcrt-apifwd-win7_31bf3856ad364e35_6.1.7601.23175_none_aa31870f3e3ad077\api-ms-win-crt-locale-l1-1-0.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_3c1b29463bcb5626.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Catalogs\38bc277649922cb2ac9f4f3bc37325824a1be38fb22554d560ff63e50624f2c1.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..do-backcompat-tlb20_31bf3856ad364e35_6.1.7601.17514_none_493d316208b5513f.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\inf\prnbr008.inf ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\Documents.gif ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\PlaMig.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows User Account Control.wav ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.1.7600.16385_none_6cb4cb2fec54f7c8\home2.aspx ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-iis-bpa.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f646fe79b78341b3.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c61248adcc9a315.manifest ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehsso_31bf3856ad364e35_6.1.7600.16385_none_ac3a9a3e6b4da0cc\ehSSO.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000042f_31bf3856ad364e35_6.1.7600.16385_none_5ab7e4e86ecce366\KBDMAC.DLL ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_faf66397e6b5f43f\tipresx.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-waitfor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_89643717192e948e\waitfor.exe.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\Catalogs\60a0415d7c5c8ceade38ed92ec25a10f888a5b2855b0eb38413057d41f28aa83.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\FileMaps\program_files_dvd_maker_shared_dvdstyles_specialoccasion_e32b316f8a75bd6e.cdf-ms ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b480a3379367dfd4\bthport.sys.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..ng-shell-enterprise_31bf3856ad364e35_6.1.7600.16385_none_5607784e88698ae5\shellbrd.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1140_31bf3856ad364e35_6.1.7600.16385_none_7d2cc8c1248fcdc7\C_1140.NLS ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7601.17514_none_330ce3bf9861358f\vssapi.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\PolicyDefinitions\WindowsBackup.admx ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c51eb2f5e88a3281\fsutil.exe.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a5b315523d5b814\smierrsy.dll.mui ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IdentityMode#\559a3dee015d005c199f3867b10f5bbc\System.IdentityModel.Selectors.ni.dll ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Synaptics.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e Synaptics.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe1d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e Synaptics.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1268 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1268 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1124 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 27 PID 1616 wrote to memory of 1124 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 27 PID 1616 wrote to memory of 1124 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 27 PID 1616 wrote to memory of 1124 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 27 PID 1124 wrote to memory of 1736 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 29 PID 1124 wrote to memory of 1736 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 29 PID 1124 wrote to memory of 1736 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 29 PID 1124 wrote to memory of 1736 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 29 PID 1736 wrote to memory of 1988 1736 cmd.exe 31 PID 1736 wrote to memory of 1988 1736 cmd.exe 31 PID 1736 wrote to memory of 1988 1736 cmd.exe 31 PID 1736 wrote to memory of 1988 1736 cmd.exe 31 PID 1616 wrote to memory of 2008 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 32 PID 1616 wrote to memory of 2008 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 32 PID 1616 wrote to memory of 2008 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 32 PID 1616 wrote to memory of 2008 1616 8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 32 PID 1988 wrote to memory of 108 1988 net.exe 33 PID 1988 wrote to memory of 108 1988 net.exe 33 PID 1988 wrote to memory of 108 1988 net.exe 33 PID 1988 wrote to memory of 108 1988 net.exe 33 PID 1124 wrote to memory of 1088 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 34 PID 1124 wrote to memory of 1088 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 34 PID 1124 wrote to memory of 1088 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 34 PID 1124 wrote to memory of 1088 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 34 PID 1088 wrote to memory of 1132 1088 cmd.exe 37 PID 1088 wrote to memory of 1132 1088 cmd.exe 37 PID 1088 wrote to memory of 1132 1088 cmd.exe 37 PID 1088 wrote to memory of 1132 1088 cmd.exe 37 PID 1132 wrote to memory of 1836 1132 net.exe 38 PID 1132 wrote to memory of 1836 1132 net.exe 38 PID 1132 wrote to memory of 1836 1132 net.exe 38 PID 1132 wrote to memory of 1836 1132 net.exe 38 PID 1124 wrote to memory of 1196 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 39 PID 1124 wrote to memory of 1196 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 39 PID 1124 wrote to memory of 1196 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 39 PID 1124 wrote to memory of 1196 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 39 PID 1196 wrote to memory of 1960 1196 cmd.exe 41 PID 1196 wrote to memory of 1960 1196 cmd.exe 41 PID 1196 wrote to memory of 1960 1196 cmd.exe 41 PID 1196 wrote to memory of 1960 1196 cmd.exe 41 PID 1960 wrote to memory of 1940 1960 net.exe 42 PID 1960 wrote to memory of 1940 1960 net.exe 42 PID 1960 wrote to memory of 1940 1960 net.exe 42 PID 1960 wrote to memory of 1940 1960 net.exe 42 PID 1124 wrote to memory of 1996 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 43 PID 1124 wrote to memory of 1996 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 43 PID 1124 wrote to memory of 1996 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 43 PID 1124 wrote to memory of 1996 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 43 PID 1996 wrote to memory of 1120 1996 cmd.exe 45 PID 1996 wrote to memory of 1120 1996 cmd.exe 45 PID 1996 wrote to memory of 1120 1996 cmd.exe 45 PID 1996 wrote to memory of 1120 1996 cmd.exe 45 PID 1120 wrote to memory of 1668 1120 net.exe 46 PID 1120 wrote to memory of 1668 1120 net.exe 46 PID 1120 wrote to memory of 1668 1120 net.exe 46 PID 1120 wrote to memory of 1668 1120 net.exe 46 PID 1124 wrote to memory of 848 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 47 PID 1124 wrote to memory of 848 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 47 PID 1124 wrote to memory of 848 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 47 PID 1124 wrote to memory of 848 1124 ._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe 47 PID 848 wrote to memory of 1340 848 cmd.exe 49 PID 848 wrote to memory of 1340 848 cmd.exe 49 PID 848 wrote to memory of 1340 848 cmd.exe 49 PID 848 wrote to memory of 1340 848 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"C:\Users\Admin\AppData\Local\Temp\8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"C:\Users\Admin\AppData\Local\Temp\._cache_8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵PID:108
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵PID:1836
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵PID:1940
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO14⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO15⤵PID:1668
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\net.exenet stop MSDTC4⤵PID:1340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC5⤵PID:1580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no3⤵PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵PID:1792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT3⤵PID:1396
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT4⤵PID:1952
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT5⤵PID:1500
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵PID:788
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵PID:1968
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵PID:1656
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds3⤵PID:1096
-
C:\Windows\SysWOW64\net.exenet stop vds4⤵PID:860
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds5⤵PID:1432
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off3⤵PID:1424
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable3⤵PID:2040
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵PID:1944
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2008
-
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1268