ouroboros | 39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913

General

Target

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
Size

986KB
MD5

f792655e03042e9ca4cb8c89e4103c8a
SHA1

4ae946b8712114fca1bbf6dd392eb26a8c874586
SHA256

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913
SHA512

92ab9d00decc68126274425ae261441bd62eebd036c6c60a7c6cd860f0a8b1e6786c80042763f8dabb2db831152f322be58a067a6b8f21f95f953ffa8ec010b5

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\AddRename.tiff	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\GrantRedo.tiff	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\LockResume.tiff	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRestore.tiff	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops startup file 1 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WBCYF2DO\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\$Recycle.Bin\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q2MEZ03C\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Media\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B7OQLK7P\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 5 http://www.sfml-dev.org/ip-provider.php
Drops file in System32 directory 1 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	flow	ioc
HTTP URL	5	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops file in Program Files directory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\7-Zip\descript.ion.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre7\bin\splashscreen.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\POSTCD98.POC	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jre7\lib\logging.properties.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.Email=[pauolmann@gmail.com]ID=[FP2MLZE3AXD09C8].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops file in Windows directory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Speech\6935e1dad6ec5de21658f8d38999099a\System.Speech.ni.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\AspNetMMCExt\51f5ebc7dec87fb0c89540ed15a5c2b6\AspNetMMCExt.ni.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Work0493292f#\4832d6678c2546727da93ce691bd5066\System.Workflow.Runtime.ni.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Boot\EFI\it-IT\bootmgfw.efi.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\IME\IMESC5\HELP\PINTLGNT.CHM	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\wpdfs.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\ASP.NET\001D\aspnet_perf2.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\bootmgfw.efi.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_IdleDiskTimeout.ps1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SonicMCEBurnEngine.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\gishabd.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\lvnmbd.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\5dd3a5d9306d305389a484901d4f4ad3\System.Workflow.Runtime.ni.dll.aux	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Cursors\lnesw.cur	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\browaub.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\volsnap.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\mcstoredb.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OneNote.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\LFAX.TTF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\wiacn001.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\aspnet_state\0416\aspnet_state_perf.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\mdmairte.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\L2Schemas\WLAN_profile_v1.xsd	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\DiagPackage.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\ARIALNI.TTF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\GILLUBCD.TTF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\wingding.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\mdmtdkj5.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\en-US\CL_LocalizationData.psd1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\wiaep003.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Boot\PCAT\de-DE\bootmgr.exe.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\input.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\net1qx64.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\361ef62867b1804328cf3616dc8a7f7b\System.Workflow.ComponentModel.ni.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\courbd.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\utsaahi.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\mdmbr005.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcglidhostobj\6.1.0.0__31bf3856ad364e35\mcglidhostobj.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\svgasys.fon	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\ehstorpwddrv.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.PowerPoint\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.PowerPoint.config	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a16dd65d2bfab6a019ac8a05337a5c24\System.Web.DynamicData.ni.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\13e78018da27a55f22b29d9ffef6f33a\System.Management.Instrumentation.ni.dll.aux	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_USBSelective.ps1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\vga869.fon	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\prngt004.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\prnod002.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\TS_PowerPolicySetting.ps1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_CheckPermissions.ps1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\consolaz.ttf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\PERTIBD.TTF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGL.IMD	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\prnky004.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\aspnet_state\0008\aspnet_state_perf.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\jvgafix.fon	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\inf\sti.PNF	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_x86.dll.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Cursors\help_rl.cur	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Filters\soniccolorconverter.ax	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

pid	process
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1680 wrote to memory of 1908	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1908	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1908	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1908	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1908 wrote to memory of 1936	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1936	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1936	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1936	1908	cmd.exe	net.exe
PID 1936 wrote to memory of 1952	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1952	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1952	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1952	1936	net.exe	net1.exe
PID 1680 wrote to memory of 1964	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1964	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1964	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1964	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1964 wrote to memory of 1844	1964	cmd.exe	net.exe
PID 1964 wrote to memory of 1844	1964	cmd.exe	net.exe
PID 1964 wrote to memory of 1844	1964	cmd.exe	net.exe
PID 1964 wrote to memory of 1844	1964	cmd.exe	net.exe
PID 1844 wrote to memory of 1852	1844	net.exe	net1.exe
PID 1844 wrote to memory of 1852	1844	net.exe	net1.exe
PID 1844 wrote to memory of 1852	1844	net.exe	net1.exe
PID 1844 wrote to memory of 1852	1844	net.exe	net1.exe
PID 1680 wrote to memory of 520	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 520	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 520	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 520	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 520 wrote to memory of 276	520	cmd.exe	net.exe
PID 520 wrote to memory of 276	520	cmd.exe	net.exe
PID 520 wrote to memory of 276	520	cmd.exe	net.exe
PID 520 wrote to memory of 276	520	cmd.exe	net.exe
PID 276 wrote to memory of 1364	276	net.exe	net1.exe
PID 276 wrote to memory of 1364	276	net.exe	net1.exe
PID 276 wrote to memory of 1364	276	net.exe	net1.exe
PID 276 wrote to memory of 1364	276	net.exe	net1.exe
PID 1680 wrote to memory of 1360	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1360	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1360	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1360	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1360 wrote to memory of 524	1360	cmd.exe	net.exe
PID 1360 wrote to memory of 524	1360	cmd.exe	net.exe
PID 1360 wrote to memory of 524	1360	cmd.exe	net.exe
PID 1360 wrote to memory of 524	1360	cmd.exe	net.exe
PID 524 wrote to memory of 1556	524	net.exe	net1.exe
PID 524 wrote to memory of 1556	524	net.exe	net1.exe
PID 524 wrote to memory of 1556	524	net.exe	net1.exe
PID 524 wrote to memory of 1556	524	net.exe	net1.exe
PID 1680 wrote to memory of 804	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 804	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 804	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 804	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 804 wrote to memory of 1648	804	cmd.exe	net.exe
PID 804 wrote to memory of 1648	804	cmd.exe	net.exe
PID 804 wrote to memory of 1648	804	cmd.exe	net.exe
PID 804 wrote to memory of 1648	804	cmd.exe	net.exe
PID 1648 wrote to memory of 1660	1648	net.exe	net1.exe
PID 1648 wrote to memory of 1660	1648	net.exe	net1.exe
PID 1648 wrote to memory of 1660	1648	net.exe	net1.exe
PID 1648 wrote to memory of 1660	1648	net.exe	net1.exe
PID 1680 wrote to memory of 1784	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1784	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1784	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1680 wrote to memory of 1784	1680	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
"C:\Users\Admin\AppData\Local\Temp\39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
PID:744

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
PID:916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:364

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1440

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:1804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1112

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:1900

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-7-0x0000000000000000-mapping.dmp

Download
memory/364-21-0x0000000000000000-mapping.dmp

Download
memory/520-6-0x0000000000000000-mapping.dmp

Download
memory/524-10-0x0000000000000000-mapping.dmp

Download
memory/744-18-0x0000000000000000-mapping.dmp

Download
memory/804-12-0x0000000000000000-mapping.dmp

Download
memory/916-19-0x0000000000000000-mapping.dmp

Download
memory/956-26-0x0000000000000000-mapping.dmp

Download
memory/1096-22-0x0000000000000000-mapping.dmp

Download
memory/1112-27-0x0000000000000000-mapping.dmp

Download
memory/1360-9-0x0000000000000000-mapping.dmp

Download
memory/1364-8-0x0000000000000000-mapping.dmp

Download
memory/1372-23-0x0000000000000000-mapping.dmp

Download
memory/1384-20-0x0000000000000000-mapping.dmp

Download
memory/1440-24-0x0000000000000000-mapping.dmp

Download
memory/1512-17-0x0000000000000000-mapping.dmp

Download
memory/1556-11-0x0000000000000000-mapping.dmp

Download
memory/1648-13-0x0000000000000000-mapping.dmp

Download
memory/1660-14-0x0000000000000000-mapping.dmp

Download
memory/1680-33-0x00000000011A0000-0x00000000011B1000-memory.dmp

Filesize
68KB

Download
memory/1680-32-0x00000000015B0000-0x00000000015C1000-memory.dmp

Filesize
68KB

Download
memory/1680-31-0x00000000011A0000-0x00000000011B1000-memory.dmp

Filesize
68KB

Download
memory/1744-28-0x0000000000000000-mapping.dmp

Download
memory/1784-15-0x0000000000000000-mapping.dmp

Download
memory/1804-25-0x0000000000000000-mapping.dmp

Download
memory/1840-30-0x0000000000000000-mapping.dmp

Download
memory/1844-4-0x0000000000000000-mapping.dmp

Download
memory/1852-5-0x0000000000000000-mapping.dmp

Download
memory/1900-29-0x0000000000000000-mapping.dmp

Download
memory/1908-0-0x0000000000000000-mapping.dmp

Download
memory/1936-1-0x0000000000000000-mapping.dmp

Download
memory/1952-2-0x0000000000000000-mapping.dmp

Download
memory/1964-3-0x0000000000000000-mapping.dmp

Download
memory/2028-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads