ouroboros | 7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319

General

Target

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
Size

997KB
MD5

5425c30ebba4f84d1874a2c783932646
SHA1

80db4a06b57e61695389c354f155c26bb125bd71
SHA256

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319
SHA512

457b1539296379bd93adfbc8c3a172405f9c341d9d8aa1c6a8c1dbb0ff52ae564911b1a1218ec5613a5e9e2bcca0c00001d118fb36868391ee93f8155b304f1f

Score

10^/10

ransomware ouroboros spyware evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

NTFS ADS 30 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-910373003-3952921535-3480519689-1000\"쀀䔀Ä䔀Äꨚ皌\:쀀ÀÀꨚ皌\:쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\㟀¿ÀÀꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀읰Æ의Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ皌"쀀읰Æ욀Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ皌"쀀읰Æ웈Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀읰Æ은Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\System Volume Information\44e79742-8b20-11ea-a722-f2e765a3a928\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ皌"쀀읰Æ욘Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ皌"쀀䟘Æ䝈Æꨚ皌\ꞔ皌:쀀繀Â縨Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皌"쀀䟘Æ䟀Æꨚ皌\ꞔ皌:쀀ÀÀꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-910373003-3952921535-3480519689-1000\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ皌"쀀읰Æ우Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皌"쀀䟘Æ䜘Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Makes http(s) request 7 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	20	http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
HTTP URL	18	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
HTTP URL	2	http://www.sfml-dev.org/ip-provider.php
HTTP URL	21	http://www.sfml-dev.org/ip-provider.php
HTTP URL	23	http://www.sfml-dev.org/ip-provider.php
HTTP URL	14	http://apps.identrust.com/roots/dstrootcax3.p7c
HTTP URL	16	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Drops desktop.ini file(s) 256 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Desktop\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Pictures\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Contacts\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Public\Downloads\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1IGGBW8Z\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OT4YD26O\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Modifies service 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe

Drops startup file 4 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Windows directory 29381 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPBMIAPI.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Garden\Windows Battery Critical.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normidna.nlp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv43e0ae6e#\be97f3855d5ee65e57f6c510078213d1\System.ServiceModel.Routing.ni.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icm-profiles_31bf3856ad364e35_6.1.7600.16385_none_f5547dd01f628131\D50.camp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Raga\Windows Hardware Fail.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-homegroupdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_eebe8ae2f626d85c\CL_INetwork.ps1	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp5.jpg	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\mdmnis2u.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.Powershell.Commands.Management.Resources.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc4500t.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Help\Windows\en-US\migrate.h1s	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2_aclui.dll.mui_adadbfb7	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a371f8237ce9694\rdrleakdiag.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\prnnr002.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tools.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.mum	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..nt-sku-professional_31bf3856ad364e35_6.1.7601.17514_none_a8ea294e63b19921\Security-SPP-Component-SKU-Professional-VL-DMAK1-ul-oob.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468\services.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-syncinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_ede425bf1ce16283\SyncInfrastructureps.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-mofinstaller_31bf3856ad364e35_7.2.7601.23317_none_2a6f189c852d6119\mofinstall.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\dial.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000465_31bf3856ad364e35_6.1.7600.16385_none_44fca9fa7cc56c13\KBDDIV1.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\perfci.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6f581c9c9aef0771\volsnap.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Battery Low.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_6.1.7600.16385_none_761ad65676427bd9\sdiagnhost.exe	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate9.ico	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.mum	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d\bootmgr.efi.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventlog-adm_31bf3856ad364e35_6.1.7600.16385_none_02a85deb8287727e\EventLog.admx	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.1.7600.16385_none_fe560f0352e04f48\MineSweeper.exe	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\PasswordValueTextBox.cs	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc5300t.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\Amd64\SA1311E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lanmanserver-adm_31bf3856ad364e35_6.1.7600.16385_none_596faacb0e799514\LanmanServer.admx	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx005.inf_31bf3856ad364e35_6.1.7600.16385_none_493e427f11718439\Amd64\LMT430.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..eyboard-korean_101c_31bf3856ad364e35_6.1.7600.16385_none_e1bb6033344e9a8a\kbd101c.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_e6dae9713e9b7588\Ribbons.scr	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc5200t.exp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.1.7601.17514_none_ea0a1ee824b5330b\System.Workflow.ComponentModel.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-advpack_31bf3856ad364e35_8.0.7600.16385_none_227a9e5883838d14\advpack.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000B\aspnet_perf.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\localizedStrings.js	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000816_31bf3856ad364e35_6.1.7601.17514_none_47a3b8007966d96b\KBDPO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e831032377c39281\tracert.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv003.inf_31bf3856ad364e35_6.1.7600.16385_none_61a2cdbcd95e2a4a\Amd64\SV31N6.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\wpdmtp.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-rod_31bf3856ad364e35_6.1.7600.16385_none_ea0e600fcdbd21b9\rod.ttf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Fonts\WINGDNG2.TTF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00c.inf_31bf3856ad364e35_6.1.7600.16385_none_adb67b12e1bb863e\Amd64\EP0NGN8T.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\mdmaiwa4.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.1.7601.17514_none_4896f054b1edb553_icmp.dll_f0a9e399	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_8dccf60889519373.manifest	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\push_item.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\img28.jpg	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d10_31bf3856ad364e35_6.1.7600.16385_none_4bad5745e75d0468\d3d10core.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netshell_31bf3856ad364e35_6.1.7601.17514_none_33a9704224aa536e\NetworkConnectionsFolder.ptxml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnkm004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f4709cfc7e99c7c\prnkm004.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in System32 directory 11156 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\mdmcrtix.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS3350B.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8100T.XML	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYKC1350.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYFS2020.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR8000.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\prnrc003.PNF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\msxml6.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wpcsprov.mof	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\usbehci.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PS_SCHM.GDL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYEPC270.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIAS410N.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msra.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\sv-SE\WMPhoto.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\dskquota.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_311_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\idndl.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\WSDPrint.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\clb.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.Format.ps1xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRAH.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mmsys.cpl.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\setup16.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasicPackage~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\ph6xib64c1.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\migration\modemmigplugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\shsetup.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\networkexplorer.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netvwifimp.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PSCRIPT5.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR1391E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\dpapiprovider.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\KBDFO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\KBDHELA2.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\RESAMPLEDMO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS37EP.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\bfe.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\ir41_qcx.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\sppcomapi.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_neutral_0b11366838152a76\1394.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\mdmetech.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzscw71.dtd	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\asycfilt.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_58_for_KB2731771~31bf3856ad364e35~amd64~~6.1.1.1.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF4181E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\XR6180MN.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\msimsg.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\scksp.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYKC2020.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\Wpdcomp.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Video-TVVideoControl-DL.man	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cdosys.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\kbdgeoer.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_181_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_316.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3600t.gpd	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IF24356.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Drivers directory 9 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Suspicious use of WriteProcessMemory 124 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

pid	process
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Program Files directory 27513 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL001.XML.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\STSLIST.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MEDIA\COIN.WAV.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OUTLBAR.INF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOSTYLE.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Shorthand.jtp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dcpr.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\CALHM.POC.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\DataType\Category.accft.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll.[Hichkasam@protonmail.com][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Runs net.exe

C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
"C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe"
1⤵
- NTFS ADS
- Drops desktop.ini file(s)
- Drops startup file
- Drops file in Windows directory
- Drops file in System32 directory
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
PID:568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:920

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:700

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:1120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies service
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:1540

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies service
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-0-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download
memory/288-1-0x00000000013D0000-0x00000000013E1000-memory.dmp

Filesize
68KB

Download
memory/288-2-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads