353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f

General

Target

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
Size

1.3MB
MD5

1305df0e5a017ec3ce66a83bd631428e
SHA1

b38535cedd5d539a1d91a335fe306f5a0dccbfdb
SHA256

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f
SHA512

fc693e8b04230a825a4f79ee797845f00a272530d77e3d5191c469a2ddbbc50e64de4b13cf8b6fba70922224b4b5ca86720f6fc0c88a206f10f326d10aaaa0fe

Score

8^/10

evasion spyware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 26 IoCs

Processes:

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\SystemData\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

Drops file in Program Files directory 64 IoCs

Processes:

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_Flight.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Pin\270x270.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\ui-strings.js	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOPRIV.DLL	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-20.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.dll.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-400.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-125.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-100.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_d3d.dll.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\SelectAll.scale-180.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\BuildInfo.xml	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-48.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\editpdf.svg	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-100.png	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.[unlockdata@criptext.com][MJ-CY7491283065].Backup	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

NTFS ADS 2 IoCs

Processes:

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:谸ʻt.ex	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:𜀛ˣt.ex	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

pid	process
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4652 wrote to memory of 4916	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 4916	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 4916	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4916 wrote to memory of 5060	4916	cmd.exe	net.exe
PID 4916 wrote to memory of 5060	4916	cmd.exe	net.exe
PID 4916 wrote to memory of 5060	4916	cmd.exe	net.exe
PID 5060 wrote to memory of 5096	5060	net.exe	net1.exe
PID 5060 wrote to memory of 5096	5060	net.exe	net1.exe
PID 5060 wrote to memory of 5096	5060	net.exe	net1.exe
PID 4652 wrote to memory of 1012	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1012	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1012	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3704	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3704	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3704	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3268	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3268	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3268	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3880	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3880	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3880	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 3880 wrote to memory of 3228	3880	cmd.exe	net.exe
PID 3880 wrote to memory of 3228	3880	cmd.exe	net.exe
PID 3880 wrote to memory of 3228	3880	cmd.exe	net.exe
PID 3228 wrote to memory of 1860	3228	net.exe	net1.exe
PID 3228 wrote to memory of 1860	3228	net.exe	net1.exe
PID 3228 wrote to memory of 1860	3228	net.exe	net1.exe
PID 4652 wrote to memory of 3372	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3372	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 3372	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 3372 wrote to memory of 3208	3372	cmd.exe	net.exe
PID 3372 wrote to memory of 3208	3372	cmd.exe	net.exe
PID 3372 wrote to memory of 3208	3372	cmd.exe	net.exe
PID 3208 wrote to memory of 4292	3208	net.exe	net1.exe
PID 3208 wrote to memory of 4292	3208	net.exe	net1.exe
PID 3208 wrote to memory of 4292	3208	net.exe	net1.exe
PID 4652 wrote to memory of 1900	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1900	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1900	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 1900 wrote to memory of 4340	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 4340	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 4340	1900	cmd.exe	net.exe
PID 4340 wrote to memory of 4328	4340	net.exe	net1.exe
PID 4340 wrote to memory of 4328	4340	net.exe	net1.exe
PID 4340 wrote to memory of 4328	4340	net.exe	net1.exe
PID 4652 wrote to memory of 4440	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 4440	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 4440	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4440 wrote to memory of 4396	4440	cmd.exe	netsh.exe
PID 4440 wrote to memory of 4396	4440	cmd.exe	netsh.exe
PID 4440 wrote to memory of 4396	4440	cmd.exe	netsh.exe
PID 4652 wrote to memory of 640	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 640	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 640	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 640 wrote to memory of 996	640	cmd.exe	netsh.exe
PID 640 wrote to memory of 996	640	cmd.exe	netsh.exe
PID 640 wrote to memory of 996	640	cmd.exe	netsh.exe
PID 4652 wrote to memory of 1152	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1152	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 4652 wrote to memory of 1152	4652	353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe	cmd.exe
PID 1152 wrote to memory of 1484	1152	cmd.exe	net.exe
PID 1152 wrote to memory of 1484	1152	cmd.exe	net.exe
PID 1152 wrote to memory of 1484	1152	cmd.exe	net.exe
PID 1484 wrote to memory of 1588	1484	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
"C:\Users\Admin\AppData\Local\Temp\353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:1740

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:2336

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:2972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:2864

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:4612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-19-0x0000000000000000-mapping.dmp

Download
memory/996-20-0x0000000000000000-mapping.dmp

Download
memory/1012-5-0x0000000000000000-mapping.dmp

Download
memory/1152-21-0x0000000000000000-mapping.dmp

Download
memory/1484-22-0x0000000000000000-mapping.dmp

Download
memory/1504-25-0x0000000000000000-mapping.dmp

Download
memory/1588-23-0x0000000000000000-mapping.dmp

Download
memory/1740-24-0x0000000000000000-mapping.dmp

Download
memory/1860-10-0x0000000000000000-mapping.dmp

Download
memory/1900-14-0x0000000000000000-mapping.dmp

Download
memory/2236-26-0x0000000000000000-mapping.dmp

Download
memory/2336-27-0x0000000000000000-mapping.dmp

Download
memory/2536-29-0x0000000000000000-mapping.dmp

Download
memory/2864-30-0x0000000000000000-mapping.dmp

Download
memory/2972-28-0x0000000000000000-mapping.dmp

Download
memory/3208-12-0x0000000000000000-mapping.dmp

Download
memory/3228-9-0x0000000000000000-mapping.dmp

Download
memory/3268-7-0x0000000000000000-mapping.dmp

Download
memory/3372-11-0x0000000000000000-mapping.dmp

Download
memory/3704-6-0x0000000000000000-mapping.dmp

Download
memory/3880-8-0x0000000000000000-mapping.dmp

Download
memory/3900-31-0x0000000000000000-mapping.dmp

Download
memory/4292-13-0x0000000000000000-mapping.dmp

Download
memory/4328-16-0x0000000000000000-mapping.dmp

Download
memory/4340-15-0x0000000000000000-mapping.dmp

Download
memory/4396-18-0x0000000000000000-mapping.dmp

Download
memory/4440-17-0x0000000000000000-mapping.dmp

Download
memory/4612-32-0x0000000000000000-mapping.dmp

Download
memory/4652-34-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4652-33-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4652-36-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4652-35-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4652-37-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4652-46-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4652-45-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4652-47-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4916-2-0x0000000000000000-mapping.dmp

Download
memory/5060-3-0x0000000000000000-mapping.dmp

Download
memory/5096-4-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads