ouroboros | 7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319

Analysis

max time kernel
102s
max time network
271s
platform
windows7_x64
resource
win7v200430
submitted
03-05-2020 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
Size

997KB
MD5

5425c30ebba4f84d1874a2c783932646
SHA1

80db4a06b57e61695389c354f155c26bb125bd71
SHA256

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319
SHA512

457b1539296379bd93adfbc8c3a172405f9c341d9d8aa1c6a8c1dbb0ff52ae564911b1a1218ec5613a5e9e2bcca0c00001d118fb36868391ee93f8155b304f1f

Score

10^/10

ransomware ouroboros spyware evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

NTFS ADS 30 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-910373003-3952921535-3480519689-1000\"쀀䔀Ä䔀Äꨚ皌\:쀀ÀÀꨚ皌\:쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\3쀀ÀÀꨚ皌\㟀¿ÀÀꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀읰Æ의Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ皌"쀀읰Æ욀Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ皌"쀀읰Æ웈Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀읰Æ은Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\System Volume Information\44e79742-8b20-11ea-a722-f2e765a3a928\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ皌"쀀읰Æ욘Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ皌"쀀䟘Æ䝈Æꨚ皌\ꞔ皌:쀀繀Â縨Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ皌"쀀䟘Æ䟀Æꨚ皌\ꞔ皌:쀀ÀÀꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-910373003-3952921535-3480519689-1000\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ皌"쀀읰Æ우Æꨚ皌\ꞔ皌:쀀쏰Ä쏘Äꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ皌"쀀䟘Æ䜘Æꨚ皌\ꞔ皌:쀀纠Â纈Âꨚ皌	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ皌"쀀\ꞔ皌:쀀	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Makes http(s) request 7 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	20	http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
HTTP URL	18	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
HTTP URL	2	http://www.sfml-dev.org/ip-provider.php
HTTP URL	21	http://www.sfml-dev.org/ip-provider.php
HTTP URL	23	http://www.sfml-dev.org/ip-provider.php
HTTP URL	14	http://apps.identrust.com/roots/dstrootcax3.p7c
HTTP URL	16	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Drops desktop.ini file(s) 256 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Desktop\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Pictures\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Contacts\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Public\Downloads\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1IGGBW8Z\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OT4YD26O\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Modifies service 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe

Drops startup file 4 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Windows directory 29381 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPBMIAPI.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Garden\Windows Battery Critical.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normidna.nlp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv43e0ae6e#\be97f3855d5ee65e57f6c510078213d1\System.ServiceModel.Routing.ni.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icm-profiles_31bf3856ad364e35_6.1.7600.16385_none_f5547dd01f628131\D50.camp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Raga\Windows Hardware Fail.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-homegroupdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_eebe8ae2f626d85c\CL_INetwork.ps1	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp5.jpg	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\mdmnis2u.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.Powershell.Commands.Management.Resources.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc4500t.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Help\Windows\en-US\migrate.h1s	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2_aclui.dll.mui_adadbfb7	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a371f8237ce9694\rdrleakdiag.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\prnnr002.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tools.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.mum	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..nt-sku-professional_31bf3856ad364e35_6.1.7601.17514_none_a8ea294e63b19921\Security-SPP-Component-SKU-Professional-VL-DMAK1-ul-oob.xrm-ms	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468\services.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-syncinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_ede425bf1ce16283\SyncInfrastructureps.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-mofinstaller_31bf3856ad364e35_7.2.7601.23317_none_2a6f189c852d6119\mofinstall.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\dial.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000465_31bf3856ad364e35_6.1.7600.16385_none_44fca9fa7cc56c13\KBDDIV1.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\perfci.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6f581c9c9aef0771\volsnap.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Battery Low.wav	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_6.1.7600.16385_none_761ad65676427bd9\sdiagnhost.exe	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate9.ico	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.mum	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d\bootmgr.efi.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventlog-adm_31bf3856ad364e35_6.1.7600.16385_none_02a85deb8287727e\EventLog.admx	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.1.7600.16385_none_fe560f0352e04f48\MineSweeper.exe	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\PasswordValueTextBox.cs	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc5300t.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\Amd64\SA1311E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lanmanserver-adm_31bf3856ad364e35_6.1.7600.16385_none_596faacb0e799514\LanmanServer.admx	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx005.inf_31bf3856ad364e35_6.1.7600.16385_none_493e427f11718439\Amd64\LMT430.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..eyboard-korean_101c_31bf3856ad364e35_6.1.7600.16385_none_e1bb6033344e9a8a\kbd101c.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_e6dae9713e9b7588\Ribbons.scr	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc5200t.exp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.1.7601.17514_none_ea0a1ee824b5330b\System.Workflow.ComponentModel.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-advpack_31bf3856ad364e35_8.0.7600.16385_none_227a9e5883838d14\advpack.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000B\aspnet_perf.ini	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\localizedStrings.js	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000816_31bf3856ad364e35_6.1.7601.17514_none_47a3b8007966d96b\KBDPO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e831032377c39281\tracert.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv003.inf_31bf3856ad364e35_6.1.7600.16385_none_61a2cdbcd95e2a4a\Amd64\SV31N6.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\wpdmtp.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-rod_31bf3856ad364e35_6.1.7600.16385_none_ea0e600fcdbd21b9\rod.ttf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Fonts\WINGDNG2.TTF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00c.inf_31bf3856ad364e35_6.1.7600.16385_none_adb67b12e1bb863e\Amd64\EP0NGN8T.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\inf\mdmaiwa4.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.1.7601.17514_none_4896f054b1edb553_icmp.dll_f0a9e399	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_8dccf60889519373.manifest	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\push_item.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\img28.jpg	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d10_31bf3856ad364e35_6.1.7600.16385_none_4bad5745e75d0468\d3d10core.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netshell_31bf3856ad364e35_6.1.7601.17514_none_33a9704224aa536e\NetworkConnectionsFolder.ptxml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\winsxs\amd64_prnkm004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f4709cfc7e99c7c\prnkm004.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in System32 directory 11156 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\mdmcrtix.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS3350B.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8100T.XML	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYKC1350.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYFS2020.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR8000.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\prnrc003.PNF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\msxml6.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wpcsprov.mof	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\usbehci.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PS_SCHM.GDL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYEPC270.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIAS410N.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msra.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\sv-SE\WMPhoto.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\dskquota.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_311_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\idndl.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\WSDPrint.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\clb.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.Format.ps1xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRAH.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mmsys.cpl.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\setup16.exe.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasicPackage~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\ph6xib64c1.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\migration\modemmigplugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\shsetup.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\networkexplorer.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netvwifimp.inf_loc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PSCRIPT5.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR1391E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\dpapiprovider.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\KBDFO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\KBDHELA2.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\RESAMPLEDMO.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS37EP.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\en-US\bfe.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\ir41_qcx.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\sppcomapi.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_neutral_0b11366838152a76\1394.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\mdmetech.inf	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzscw71.dtd	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\asycfilt.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_58_for_KB2731771~31bf3856ad364e35~amd64~~6.1.1.1.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF4181E3.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\XR6180MN.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\msimsg.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\scksp.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYKC2020.PPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\Wpdcomp.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Video-TVVideoControl-DL.man	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cdosys.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\kbdgeoer.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_181_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_316.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3600t.gpd	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IF24356.GPD	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Drivers directory 9 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Suspicious use of WriteProcessMemory 124 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 112	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 112 wrote to memory of 800	112	cmd.exe	net.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 800 wrote to memory of 484	800	net.exe	net1.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 740	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 740 wrote to memory of 1088	740	cmd.exe	net.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1056	1088	net.exe	net1.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1508	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1672	1508	cmd.exe	net.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1356	1672	net.exe	net1.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1368	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1368 wrote to memory of 1804	1368	cmd.exe	net.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1796	1804	net.exe	net1.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1812	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1812 wrote to memory of 1848	1812	cmd.exe	net.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1836	1848	net.exe	net1.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe
PID 288 wrote to memory of 1864	288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

pid	process
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
288	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Drops file in Program Files directory 27513 IoCs

Processes:

7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL001.XML.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\STSLIST.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MEDIA\COIN.WAV.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OUTLBAR.INF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOSTYLE.DLL	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Shorthand.jtp	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dcpr.dll	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\CALHM.POC.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\DataType\Category.accft.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll.[[email protected]][ID-BLPM8QO6V17IJ4Y].Void	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF	7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe

Runs net.exe

C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe
"C:\Users\Admin\AppData\Local\Temp\7550228f681474a038e957f86b84f182df3a1748aacf6cc7d60638f8b2784319.exe"
1⤵
- NTFS ADS
- Drops desktop.ini file(s)
- Drops startup file
- Drops file in Windows directory
- Drops file in System32 directory
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:920
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:700
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies service
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies service
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-0-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download
memory/288-1-0x00000000013D0000-0x00000000013E1000-memory.dmp

Filesize
68KB

Download
memory/288-2-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download