ouroboros | a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461

Analysis

max time kernel
42s
max time network
16s
platform
windows7_x64
resource
win7
submitted
11-09-2020 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
Size

994KB
MD5

62ae12ef05bb6ad38cf30d8c35efd416
SHA1

90049acd442225de16124a89835eed61f4202a8b
SHA256

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
SHA512

0114ca7c03291783732a2cbcbbbc4f6a2250c3ad41aaa415be6e85aa28daad85b668f4f0177357c3fdf1c861830bb8b24d378390de7736a57660182ac3c3709a

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DismountEdit.tiff	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Drops startup file 1 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 64 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\en-US\driverquery.exe.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\msvcirt.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\mdmatm2k.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBP_274.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NREAB.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1371E3.PPD	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\prnlx00y.PNF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\wiaky002.PNF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\dsuiext.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons0007.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\occache.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\provthrd.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.exp	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\netvscres.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Printing-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\mdmbr00a.inf_loc	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0LB040.GPD	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0NB040.INI	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.gpd	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\NAPCLCFG.MSC	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBX0282.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NOAAA.DXT	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\prnlx009.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\CNC1731D.TBL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHW730S.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\WsmAuto.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_300.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL01.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR2550.GPD	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA4.GPD	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\prnhp002.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3300T.XML	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\certenc.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\cxraphd.rom	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBLR4.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\en-US\expand.exe.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cryptdlg.dll.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\rasgcw.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Links-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~pl-PL~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\ph3xibc7.PNF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\Amd64\KYC5020N.PPD	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\KBDHU1.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\MPG4DECD.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\npmproxy.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\bxvbda.sys	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1000T.XML	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\wpcsvc.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnbr005.inf_loc	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSTWN7.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\prnlx00z.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\en-US\acctres.dll.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\hiddigi.PNF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\SysWOW64\en-US\defaultlocationcpl.dll.mui	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Drops file in Program Files directory 64 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\REPORT.CFG	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_te.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CONVERT\OL.SAM	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OUTLCTL.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsoundds.dll.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CONVERT\DESKSAM.SAM	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Oriel.thmx.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Students.accdt	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0102984.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ko.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GRINTL32.REST.IDX_DLL.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.BusinessData.dll.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH02155_.WMF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF.[[email protected]][4BLJU0E63Z59YKR].Spade	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Drops file in Windows directory 64 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Common.Tasks	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Indexing-Service-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Pipes.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf2.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\GAC_64\naphlpr\6.1.0.0__31bf3856ad364e35\NAPHLPR.DLL	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\IME\IMEJP10\DICTS\IMJPGN.GRM	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for Oracle\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Logon Sound.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\alink.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\schemas\EAPMethods\mspeapuserpropertiesv1.xsd	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard\6.1.0.0__31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreeis.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Fonts\s8514oem.fon	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\mdmbr006.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Balloon.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Services.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\d39ce5e7df72ddb95f2098899b7330ae\Microsoft.VisualBasic.Activities.Compiler.ni.dll.aux	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\prngt003.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Package_67_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\AspNetMMCExt.ni.dll.aux	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\prnca00f.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\netscape.browser	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\ehome\ehcir.ird	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\mdmcomp.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Discovery\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Discovery.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.FileVersionInfo.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Package_171_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\mdmmod.PNF	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\diagnostics\system\Power\en-US\RS_Adjustwirelessadaptersettings.psd1	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Delta\Windows Exclamation.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Balloon.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a933cd1241698e4d13d80c8cb31d7055\System.Data.Services.Client.ni.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\7a1dfc357f4135dbddcf38fd9279b2a7\System.ServiceModel.Internals.ni.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Delta\Windows Battery Critical.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.rsp	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.Debug.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\arcsas.inf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.Debug.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\GameExplorer.adml	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.mum	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\PolicyDefinitions\DiskDiagnostic.admx	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcepg\6.1.0.0__31bf3856ad364e35\mcepg.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.EnterpriseSe#\a6155c70b3df6c860303ffee7b560ade\System.EnterpriseServices.Wrapper.dll	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Fonts\timesbi.ttf	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\inf\usbhub\usbperfsym.h	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Ding.wav	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

NTFS ADS 30 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-1131729243-447456001-3632642222-1000\ꞔ瓩"쀀㴰X㱀Xꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\System Volume Information\f840bc82-aff2-11ea-839f-f21450b4f854\ꞔ瓩"쀀㴰X㳨Xꨚ瓩\ꞔ瓩:쀀뻀_뺨_ꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\"쀀Ψ]Ψ]ꨚ瓩\:쀀쑸\쑸\ꨚ瓩\:쀀썸\썸\ꨚ瓩\3쀀쎘\쎘\ꨚ瓩\3쀀쎸\쎸\ꨚ瓩\3쀀쐸\쐸\ꨚ瓩\3쀀쒸\쒸\ꨚ瓩\3쀀씸\씸\ꨚ瓩\3쀀ꉘ\ꉘ\ꨚ瓩\3쀀ꉸ\ꉸ\ꨚ瓩\3쀀ꊘ\ꊘ\ꨚ瓩\耀\3쀀ꋘ\ꋘ\ꨚ瓩\3쀀ꋸ\ꋸ\ꨚ瓩\ŐUꌘ\żUꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\System Volume Information\f840bc82-aff2-11ea-839f-f21450b4f854\ꞔ瓩"쀀\ꞔ瓩:쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ瓩"쀀\ꞔ瓩:쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀VVꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ瓩"쀀\ꞔ瓩:쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ瓩"쀀\ꞔ瓩:쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀VVꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1131729243-447456001-3632642222-1000\"쀀ZZꨚ瓩\:쀀VVꨚ瓩\:쀀VVꨚ瓩\3쀀Ѐ\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀VVꨚ瓩\3쀀V㜐Uꨚ瓩㟔U	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\System Volume Information\f840bc82-aff2-11ea-839f-f21450b4f854\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀ᶠĠᶈĠꨚ瓩\ꞔ瓩:쀀᷀ĠᶨĠꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ瓩"쀀ꚸ[ꔈ[ꨚ瓩\ꞔ瓩:쀀훐[횸[ꨚ瓩\ꞔ瓩:쀀횰[횘[ꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1131729243-447456001-3632642222-1000\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀VVꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀ᶠĠᶈĠꨚ瓩\ꞔ瓩:쀀᷀ĠᶨĠꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ瓩"쀀ꛨ[ꓰ[ꨚ瓩\ꞔ瓩:쀀쎨X쎐Xꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ瓩"쀀\\ꨚ瓩\ꞔ瓩:쀀VVꨚ瓩\ꞔ瓩:쀀VVꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ瓩"쀀ꚸ[ꓰ[ꨚ瓩\ꞔ瓩:쀀훐[횸[ꨚ瓩\ꞔ瓩:쀀횰[횘[ꨚ瓩	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\"쀀̀]̀]ꨚ瓩\:쀀씘\씘\ꨚ瓩\:쀀쐘\쐘\ꨚ瓩\3쀀쏘\쏘\ꨚ瓩\3쀀썸\썸\ꨚ瓩\3쀀쏸\쏸\ꨚ瓩\3쀀쑸\쑸\ꨚ瓩\3쀀쑘\쑘\ꨚ瓩\3쀀쓸\쓸\ꨚ瓩\3쀀쒘\쒘\ꨚ瓩\3쀀쎘\쎘\ꨚ瓩\3쀀쎸\쎸\ꨚ瓩\3쀀쐸\쐸\ꨚ瓩\3쀀쒸\쒸\ꨚ瓩\3쀀씸\씸\ꨚ瓩\3쀀ࡠĞࡠĞꨚ瓩\3쀀ࢀĞ	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ瓩"쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1131729243-447456001-3632642222-1000\ꞔ瓩"쀀\ꞔ瓩:쀀\ꞔ瓩:쀀	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

pid	process
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1080 wrote to memory of 1648	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1648	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1648	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1648	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1648 wrote to memory of 1532	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 1532	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 1532	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 1532	1648	cmd.exe	net.exe
PID 1532 wrote to memory of 1504	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1504	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1504	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1504	1532	net.exe	net1.exe
PID 1080 wrote to memory of 1704	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1704	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1704	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1704	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1704 wrote to memory of 1824	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1824	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1824	1704	cmd.exe	net.exe
PID 1704 wrote to memory of 1824	1704	cmd.exe	net.exe
PID 1824 wrote to memory of 1836	1824	net.exe	net1.exe
PID 1824 wrote to memory of 1836	1824	net.exe	net1.exe
PID 1824 wrote to memory of 1836	1824	net.exe	net1.exe
PID 1824 wrote to memory of 1836	1824	net.exe	net1.exe
PID 1080 wrote to memory of 1364	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1364	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1364	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1364	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1364 wrote to memory of 1776	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1776	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1776	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1776	1364	cmd.exe	net.exe
PID 1776 wrote to memory of 1788	1776	net.exe	net1.exe
PID 1776 wrote to memory of 1788	1776	net.exe	net1.exe
PID 1776 wrote to memory of 1788	1776	net.exe	net1.exe
PID 1776 wrote to memory of 1788	1776	net.exe	net1.exe
PID 1080 wrote to memory of 1752	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1752	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1752	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1752	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1752 wrote to memory of 1584	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 1584	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 1584	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 1584	1752	cmd.exe	net.exe
PID 1584 wrote to memory of 1600	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1600	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1600	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1600	1584	net.exe	net1.exe
PID 1080 wrote to memory of 1652	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1652	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1652	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1652	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1652 wrote to memory of 1552	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1552	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1552	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1552	1652	cmd.exe	net.exe
PID 1552 wrote to memory of 1920	1552	net.exe	net1.exe
PID 1552 wrote to memory of 1920	1552	net.exe	net1.exe
PID 1552 wrote to memory of 1920	1552	net.exe	net1.exe
PID 1552 wrote to memory of 1920	1552	net.exe	net1.exe
PID 1080 wrote to memory of 1872	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1872	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1872	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe
PID 1080 wrote to memory of 1872	1080	a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
"C:\Users\Admin\AppData\Local\Temp\a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:396
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:512
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:980
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-21-0x0000000000000000-mapping.dmp

Download
memory/464-22-0x0000000000000000-mapping.dmp

Download
memory/512-24-0x0000000000000000-mapping.dmp

Download
memory/756-28-0x0000000000000000-mapping.dmp

Download
memory/852-26-0x0000000000000000-mapping.dmp

Download
memory/980-29-0x0000000000000000-mapping.dmp

Download
memory/1032-20-0x0000000000000000-mapping.dmp

Download
memory/1080-31-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/1080-33-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/1080-32-0x0000000000E40000-0x0000000000E51000-memory.dmp

Filesize
68KB

Download
memory/1212-27-0x0000000000000000-mapping.dmp

Download
memory/1320-23-0x0000000000000000-mapping.dmp

Download
memory/1364-6-0x0000000000000000-mapping.dmp

Download
memory/1504-2-0x0000000000000000-mapping.dmp

Download
memory/1532-1-0x0000000000000000-mapping.dmp

Download
memory/1552-13-0x0000000000000000-mapping.dmp

Download
memory/1584-10-0x0000000000000000-mapping.dmp

Download
memory/1600-11-0x0000000000000000-mapping.dmp

Download
memory/1648-0-0x0000000000000000-mapping.dmp

Download
memory/1652-12-0x0000000000000000-mapping.dmp

Download
memory/1704-3-0x0000000000000000-mapping.dmp

Download
memory/1752-9-0x0000000000000000-mapping.dmp

Download
memory/1760-25-0x0000000000000000-mapping.dmp

Download
memory/1776-7-0x0000000000000000-mapping.dmp

Download
memory/1788-8-0x0000000000000000-mapping.dmp

Download
memory/1824-4-0x0000000000000000-mapping.dmp

Download
memory/1836-5-0x0000000000000000-mapping.dmp

Download
memory/1872-15-0x0000000000000000-mapping.dmp

Download
memory/1876-16-0x0000000000000000-mapping.dmp

Download
memory/1920-14-0x0000000000000000-mapping.dmp

Download
memory/1964-17-0x0000000000000000-mapping.dmp

Download
memory/1980-18-0x0000000000000000-mapping.dmp

Download
memory/1984-30-0x0000000000000000-mapping.dmp

Download
memory/2032-19-0x0000000000000000-mapping.dmp

Download