ouroboros | 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

Analysis

max time kernel
88s
max time network
122s
platform
windows7_x64
resource
win7v200410
submitted
24-04-2020 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
Size

997KB
MD5

ba454585b9f42c7254c931c192556e08
SHA1

0b530303634283a43d53abd9190106869f57ba5a
SHA256

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa
SHA512

2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score

10^/10

ouroboros xmrig evasion miner ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertRegister.tiff	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Drops startup file 1 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\$Recycle.Bin\S-1-5-21-3765897441-2376744223-3151462503-1000\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0DHL2DSS\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M8IM4P5W\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FT5Z4PS4\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23JH2T2F\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JA3Y8ESC\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 2 http://www.sfml-dev.org/ip-provider.php
Drops file in System32 directory 1 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	flow	ioc
HTTP URL	2	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Drops file in Program Files directory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\CUP.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\ENVELOPR.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VVIEWDWG.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OMML2MML.XSL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\mscss7en.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\ACCESS12.ACC.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ENVELOPE.DLL.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\OrielResume.Dotx.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OSetupPS.dll.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\THOCR.PSP	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\TECHTOOL.HTM	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.[[email protected]][ID-1ZSGEOKCNPIFL78].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Drops file in Windows directory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\Microsoft.SharePoint.BusinessData.Administration.Client.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\System.Data.Services.Design.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\d22ec1c367b915c4028867244c6a1623\Microsoft.MediaCenter.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\e166ff6b4e2f181ace48ef30fcc1b55c\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\ced847eb933ffee8e1a2e738205916ce\System.DirectoryServices.Protocols.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Outlook.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1c511d8fad78ad3c5213b2b4fb02b8b\Microsoft.PowerShell.ConsoleHost.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.ITVVM\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.ITVVM.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OneNote.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.DesignTime\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Word.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Word.v9.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\bfaf8f86e69928fb2f67987c0203f603\PresentationFramework.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\887ef2648686aad19feff405eddbffd2\System.EnterpriseServices.Wrapper.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\AcGenral.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiVidCtl\6.1.0.0__31bf3856ad364e35\ehiVidCtl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcepg\6.1.0.0__31bf3856ad364e35\mcepg.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.Intl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\5490e4be56d6b1a80586439ac8b09b77\System.IdentityModel.Selectors.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiUserXp\6.1.0.0__31bf3856ad364e35\ehiUserXp.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_en_31bf3856ad364e35\TaskScheduler.resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.Interop.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Runtime.Intl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehRecObj\6e35ba22c9762646d5294dd919175c69\ehRecObj.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\17ab5131ab854c98847ad70236435924\PresentationFramework.Royale.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\AppPatch\apihex86.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\14.0.0.0__71e9bce111e9429c\Policy.11.0.office.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.6.0.ehRecObj\6.1.0.0__31bf3856ad364e35\Policy.6.0.ehRecObj.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\14.0.0.0__71e9bce111e9429c\Microsoft.BusinessData.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Access\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Access.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\4bfa36696bef033cf7e33b1a092c8a0f\Microsoft.VisualC.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\fac6392e83ef7e777b78933e057c9546\System.Drawing.Design.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#\630257a0b042768c2e3104a36559c1a9\Microsoft.ManagementConsole.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\AppPatch\acwow64.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.FormControl\14.0.0.0__71e9bce111e9429c\microsoft.office.infopath.formcontrol.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity\3.5.0.0__b77a5c561934e089\System.Data.Entity.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

NTFS ADS 45 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

description	ioc	process
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\"쀀ꨚ皕\:쀀䷠䷠ꨚ皕\:쀀一一ꨚ皕\3쀀丠丠ꨚ皕\3쀀乀乀ꨚ皕\3쀀习习ꨚ皕\3쀀亀亀ꨚ皕\3쀀亠亠ꨚ皕\3쀀什什ꨚ皕\3쀀仠仠ꨚ皕\3쀀伀伀ꨚ皕\3쀀传传ꨚ皕\3쀀佀佀ꨚ皕\3쀀你你ꨚ皕\3쀀侀侀ꨚ皕\3쀀侠侠ꨚ皕\3쀀䥀䥀ꨚ皕\3쀀䥠䥠ꨚ皕\3쀀䦀䦀ꨚ皕\3쀀䦠㟀ꨚ皕㟤	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-3765897441-2376744223-3151462503-1000\"쀀訰訰ꨚ皕\:쀀ꨚ皕\:쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀Ѐ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ皕"쀀隐閸ꨚ皕\ꞔ皕:쀀ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ皕"쀀隐门ꨚ皕\ꞔ皕:쀀ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\"쀀鍀鍀ꨚ皕\:쀀隸隸ꨚ皕\:쀀雘雘ꨚ皕\3쀀雸雸ꨚ皕\3쀀隘隘ꨚ皕\3쀀靸靸ꨚ皕\3쀀靘靘ꨚ皕\3쀀鞘鞘ꨚ皕\3쀀鞸鞸ꨚ皕\3쀀韘韘ꨚ皕\3쀀韸韸ꨚ皕\3쀀領領ꨚ皕\3쀀쏰쏰ꨚ皕\3쀀쐐쐐ꨚ皕\3쀀쐰쐰ꨚ皕\3쀀쑐\3쀀쑰쑰ꨚ皕\3쀀쒐쒐ꨚ皕\3쀀쒰쒰ꨚ皕\3쀀쓐쓐ꨚ皕\耀\3쀀씐씐ꨚ皕\3쀀씰㟀ꨚ皕㣐	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Color\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ皕"쀀⦸⟀ꨚ皕\ꞔ皕:쀀㐠㐈ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Documents\Updater6\"쀀霰霰ꨚ皕\:쀀쐰쐰ꨚ皕\:쀀쐐쐐ꨚ皕\3쀀쏰쏰ꨚ皕\3쀀쒰쒰ꨚ皕\3쀀쓐쓐ꨚ皕\3쀀쓰쓰ꨚ皕\3쀀씐씐ꨚ皕\3쀀씰씰ꨚ皕\3쀀앐앐ꨚ皕\3쀀앰앰ꨚ皕\3쀀얐얐ꨚ皕\3쀀얰얰ꨚ皕\3쀀轠轠ꨚ皕\3쀀辀辀ꨚ皕\3쀀辠辠ꨚ皕\3쀀迀迀ꨚ皕\3쀀迠迠ꨚ皕\耀Ő	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ皕"쀀⦈⟘ꨚ皕\ꞔ皕:쀀䊐䉸ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-3765897441-2376744223-3151462503-1000\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\System Volume Information\66db74a2-7ba5-11ea-a7bb-ce13324fd95a\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\System Volume Information\66db74a2-7ba5-11ea-a7bb-ce13324fd95a\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Color\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\"쀀錨錨ꨚ皕\:쀀隸隸ꨚ皕\:쀀雘雘ꨚ皕\3쀀雸雸ꨚ皕\3쀀隘隘ꨚ皕\3쀀靸靸ꨚ皕\3쀀靘靘ꨚ皕\3쀀鞘鞘ꨚ皕\3쀀鞸鞸ꨚ皕\3쀀韘韘ꨚ皕\3쀀韸韸ꨚ皕\3쀀領領ꨚ皕\3쀀쏰쏰ꨚ皕\3쀀쐐쐐ꨚ皕\3쀀쐰Őꨚ皕ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀隐陸ꨚ皕\ꞔ皕:쀀츰츘ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ皕"쀀⦈⟀ꨚ皕\ꞔ皕:쀀䊐䉸ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ皕"쀀隐阀ꨚ皕\ꞔ皕:쀀ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-3765897441-2376744223-3151462503-1000\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\"쀀需需ꨚ皕\:쀀ꨚ皕\:쀀【【ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀쐰쐰ꨚ皕\3쀀쐐쐐ꨚ皕\3쀀쏰쏰ꨚ皕\3쀀쒰쒰ꨚ皕\3쀀쓐쓐ꨚ皕\3쀀쓰쓰ꨚ皕\3쀀씐씐ꨚ皕\3쀀씰씰ꨚ皕\3쀀앐앐ꨚ皕\3쀀앰Őꨚ皕ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\"쀀ꨚ皕\:쀀ꨚ皕\:쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\3쀀ꨚ皕\	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皕"쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ皕"쀀隐闐ꨚ皕\ꞔ皕:쀀ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皕"쀀隐陠ꨚ皕\ꞔ皕:쀀츰츘ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\"쀀霘霘ꨚ皕\:쀀쐰쐰ꨚ皕\:쀀쐐쐐ꨚ皕\3쀀쏰쏰ꨚ皕\3쀀쒰쒰ꨚ皕\3쀀쓐쓐ꨚ皕\3쀀쓰쓰ꨚ皕\3쀀씐씐ꨚ皕\3쀀씰씰ꨚ皕\3쀀앐앐ꨚ皕\3쀀앰앰ꨚ皕\3쀀얐얐ꨚ皕\3쀀얰얰ꨚ皕\3쀀轠轠ꨚ皕\3쀀辀辀ꨚ皕\3쀀辠辠ꨚ皕\3쀀迀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皕"쀀꿠꽐ꨚ皕\ꞔ皕:쀀조졘ꨚ皕\ꞔ皕:쀀좐졸ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Color\ꞔ皕"쀀꿠꽨ꨚ皕\ꞔ皕:쀀조졘ꨚ皕\ꞔ皕:쀀좐졸ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皕"쀀꿠꿈ꨚ皕\ꞔ皕:쀀隰隘ꨚ皕\ꞔ皕:쀀雐隸ꨚ皕	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ皕"쀀\ꞔ皕:쀀\ꞔ皕:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

pid	process
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2044 wrote to memory of 1060	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1060	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1060	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1060	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 1060 wrote to memory of 1212	1060	cmd.exe	net.exe
PID 1060 wrote to memory of 1212	1060	cmd.exe	net.exe
PID 1060 wrote to memory of 1212	1060	cmd.exe	net.exe
PID 1060 wrote to memory of 1212	1060	cmd.exe	net.exe
PID 1212 wrote to memory of 612	1212	net.exe	net1.exe
PID 1212 wrote to memory of 612	1212	net.exe	net1.exe
PID 1212 wrote to memory of 612	1212	net.exe	net1.exe
PID 1212 wrote to memory of 612	1212	net.exe	net1.exe
PID 2044 wrote to memory of 1312	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1312	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1312	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1312	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 1312 wrote to memory of 1432	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1432	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1432	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1432	1312	cmd.exe	net.exe
PID 1432 wrote to memory of 1440	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1440	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1440	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1440	1432	net.exe	net1.exe
PID 2044 wrote to memory of 1456	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1456	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1456	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1456	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 1456 wrote to memory of 1656	1456	cmd.exe	net.exe
PID 1456 wrote to memory of 1656	1456	cmd.exe	net.exe
PID 1456 wrote to memory of 1656	1456	cmd.exe	net.exe
PID 1456 wrote to memory of 1656	1456	cmd.exe	net.exe
PID 1656 wrote to memory of 1008	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1008	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1008	1656	net.exe	net1.exe
PID 1656 wrote to memory of 1008	1656	net.exe	net1.exe
PID 2044 wrote to memory of 1004	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1004	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1004	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1004	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 1004 wrote to memory of 796	1004	cmd.exe	net.exe
PID 1004 wrote to memory of 796	1004	cmd.exe	net.exe
PID 1004 wrote to memory of 796	1004	cmd.exe	net.exe
PID 1004 wrote to memory of 796	1004	cmd.exe	net.exe
PID 796 wrote to memory of 344	796	net.exe	net1.exe
PID 796 wrote to memory of 344	796	net.exe	net1.exe
PID 796 wrote to memory of 344	796	net.exe	net1.exe
PID 796 wrote to memory of 344	796	net.exe	net1.exe
PID 2044 wrote to memory of 756	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 756	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 756	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 756	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 756 wrote to memory of 1668	756	cmd.exe	net.exe
PID 756 wrote to memory of 1668	756	cmd.exe	net.exe
PID 756 wrote to memory of 1668	756	cmd.exe	net.exe
PID 756 wrote to memory of 1668	756	cmd.exe	net.exe
PID 1668 wrote to memory of 1700	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1700	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1700	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1700	1668	net.exe	net1.exe
PID 2044 wrote to memory of 1728	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1728	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1728	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe
PID 2044 wrote to memory of 1728	2044	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe
"C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-0-0x0000000000BF0000-0x0000000000C01000-memory.dmp

Filesize
68KB

Download
memory/2044-1-0x0000000001390000-0x00000000013A1000-memory.dmp

Filesize
68KB

Download
memory/2044-2-0x0000000000BF0000-0x0000000000C01000-memory.dmp

Filesize
68KB

Download