430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

Resubmissions

06-04-2021 16:38

210406-pa5tpj4bra 8

05-04-2021 09:13

210405-ald3l915jn 10

Analysis

max time kernel
134s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
06-04-2021 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updated.exe
Size

5.1MB
MD5

e3749a1c5284b28ad7ded54ed747b6e0
SHA1

c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd
SHA256

430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9
SHA512

acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\drivers\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\READ-ME-NOW.txt	updated.exe

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AddImport.crw => C:\Users\Admin\Pictures\AddImport.crw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\CloseMerge.raw => C:\Users\Admin\Pictures\CloseMerge.raw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\DisableSuspend.tif => C:\Users\Admin\Pictures\DisableSuspend.tif.glock	updated.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectResize.tiff	updated.exe
File renamed	C:\Users\Admin\Pictures\DisconnectResize.tiff => C:\Users\Admin\Pictures\DisconnectResize.tiff.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\MeasureReset.crw => C:\Users\Admin\Pictures\MeasureReset.crw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\ReceiveEdit.raw => C:\Users\Admin\Pictures\ReceiveEdit.raw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\BlockMove.raw => C:\Users\Admin\Pictures\BlockMove.raw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\CompressUnprotect.raw => C:\Users\Admin\Pictures\CompressUnprotect.raw.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\InvokeSwitch.tif => C:\Users\Admin\Pictures\InvokeSwitch.tif.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\ResolveResume.tif => C:\Users\Admin\Pictures\ResolveResume.tif.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\SelectReceive.png => C:\Users\Admin\Pictures\SelectReceive.png.glock	updated.exe
File renamed	C:\Users\Admin\Pictures\WaitStart.png => C:\Users\Admin\Pictures\WaitStart.png.glock	updated.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\READ-ME-NOW.txt	updated.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	updated.exe
File opened for modification	C:\Program Files\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	updated.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	updated.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	updated.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	updated.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_4cf9a878972c8fa1\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sisraid4.inf_amd64_65ab84e9830f6f4b\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_f1f1af29566626b0\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_8df3c3e4f563fd12\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_sas3i.inf_amd64_78b44aee3a9f1cb6\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_2e08c158fa6dcbb9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wmbclass_wmc_union.inf_amd64_59ecd0de1b9c2bd9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Engines\TTS\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_9ecf3f33ec41cbf0\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\InputMethod\CHS\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_afaf2df0cb2e7db6\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\kscaptur.inf_amd64_229c73a1ae787c65\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_277b9f4bfa8c1afb\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_6230bba6d69c81b4\Amd64\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\amd64\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6ea6830940f8f4e2\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\OEM\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\config\Journal\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthspp.inf_amd64_c67f58eabb0bc2cc\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\DiagSvcs\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_c323277c1f851119\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pnpxinternetgatewaydevices.inf_amd64_eb64dab48a5381e8\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidbthle.inf_amd64_792724380f6ef57c\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\amd64\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_f76a8d8ea1604431\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_4411de1bdd5382d9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\errdev.inf_amd64_3acffc844ddc1d6d\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ramdisk.inf_amd64_d2556ade4c9b7746\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_20c469318128a4bd\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_68ba6e09a25225a9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG4100\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_6716db8707f9be0b\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\image.inf_amd64_fb0739fe967e1bad\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_c13b99ede697d898\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_ec8d0fdfe67e99bf\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_b6a660072776cd4f\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\applets\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\Applets\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\en-US\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_df3530655ab60648\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uaspstor.inf_amd64_19ad862819aa6959\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEKR\APPLETS\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_06a23cf13e565aff\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_c82335b6cfcf830c\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX890\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicyUsers\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_0e1cf7c50ca4ffaa\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpssi_gpio.inf_amd64_62ffa3c95446bcfc\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisvirtualbus.inf_amd64_311b5482b2fc4ccc\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\nl-NL\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_09cfec8a6e90d634\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhpnul.inf_amd64_6e9d6ba4dea2c754\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SysWOW64\LogFiles\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_24354f2ba7675c87\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_usb.inf_amd64_f0a337e991109829\READ-ME-NOW.txt	updated.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_32x32x32.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_20x20x32.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sv_get.svg	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-200.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-250.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-125.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookIconFirstRunMail.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-200.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js	updated.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js	updated.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Images\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	updated.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-200.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\virgo-new-folder.svg	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js	updated.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg	updated.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\604_20x20x32.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	updated.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	updated.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-125.png	updated.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	updated.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\lv.pak	updated.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-system.threading.tasks_b03f5f7f11d50a3a_4.0.14917.0_none_404e16ac9cf61143\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\msil_system.data.entity_b77a5c561934e089_10.0.15063.0_none_38dacde0bc2b1a62\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dsquery_31bf3856ad364e35_10.0.15063.0_none_3ed90937371ab6a9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..cknotifications-adm_31bf3856ad364e35_10.0.15063.0_none_9ce239425c1588a4\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..lauthentication-adm_31bf3856ad364e35_10.0.15063.0_none_ac94762148e22987\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-compatjit_dll_31bf3856ad364e35_4.0.14917.0_none_4e0d6dac4de8c3ed\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-forfiles_31bf3856ad364e35_10.0.15063.0_none_0a18ad555dfa127c\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.PowerPoint\15.0.0.0__71e9bce111e9429c\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting\v4.0_10.0.0.0__b03f5f7f11d50a3a\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_a18c0c1f4d396f4e\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-filetrackerui_dll_ln_b03f5f7f11d50a3a_4.0.14917.0_none_cf72c5f48cea8264\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnlxclv.inf_31bf3856ad364e35_10.0.15063.0_none_453c408be85df282\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_caspol_b03f5f7f11d50a3a_4.0.15552.17062_none_7b22ec6718241548\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sk-sk_8995eb58cf34dfaa\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_iai2c.inf_31bf3856ad364e35_10.0.15063.0_none_ccff2fc09bcf72cb\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.15063.0_none_5d61deb8abd796b1\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.web.administration-nonmsil_31bf3856ad364e35_10.0.15063.0_none_d984ac5ac9a5c078\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_10.0.15063.0_none_c0725272f1d94c39\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_10.0.15063.0_none_25ea5aaf91730139\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mail-app.resources_31bf3856ad364e35_10.0.15063.0_en-us_f3800d7d44b23000\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..atibility.resources_31bf3856ad364e35_10.0.15063.0_en-us_55758d5442235fc5\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-system.web.extensions_b03f5f7f11d50a3a_4.0.14917.0_none_597b904c226c3983\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_wiaca00j.inf_31bf3856ad364e35_10.0.15063.0_none_53a73a8467cc268a\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_93bb5063d87dcfaf\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-shell32.resources_31bf3856ad364e35_10.0.15063.0_en-us_75124a25460b1f57\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nfrastructurebghost_31bf3856ad364e35_10.0.15063.0_none_8206b98ba1e985e9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..-adam-bpa.resources_31bf3856ad364e35_10.0.15063.0_en-us_f172ca617de1d044\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-r..topservices-rdpbase_31bf3856ad364e35_10.0.15063.0_none_f7e800b8248928b9\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..icability.resources_31bf3856ad364e35_10.0.15063.0_en-us_650c1d32ca366226\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-shunimpl_31bf3856ad364e35_10.0.15063.0_none_0a8bb3f0b4c6df72\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-workflow_targets_files_b03f5f7f11d50a3a_4.0.14917.0_none_5d3887388ad7015e\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_76f9da54995b4ace\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-u..guagescpl.resources_31bf3856ad364e35_10.0.15063.0_en-us_b9f66aab6ec0c2a8\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Resources\Themes\aero\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_69339b13f60a6453\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_5271bd9ee22511d1\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_en-us_40d75e23579ee338\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..panese_ax2_keyboard_31bf3856ad364e35_10.0.15063.0_none_d81031bc393167b5\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_10.0.15063.0_en-us_4cd5608c812c000e\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..vice-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_468967d03c2a2204\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-smbserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_9c6fdcc000fca3e7\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_10.0.15063.0_none_6dfa055684766ac6\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\fbcca07356add6019a4300007001b00c\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\msil_system.servicemodel.activities_31bf3856ad364e35_4.0.14917.0_none_8cbbe52d4d9e1449\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_windows-application..meventsbroker-winrt_31bf3856ad364e35_10.0.15063.0_none_1259c04a539caf81\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.transactions.bridge_b03f5f7f11d50a3a_4.0.14917.0_none_834bf990e0bef3cf\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-w..codec-dll.resources_31bf3856ad364e35_10.0.15063.0_en-us_f8fad1ed3a18a71f\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\SystemApps\holocamera_cw5n1h2txyewy\microsoft.system.package.metadata\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.15063.0_none_d1e80ed8b59ec0f0\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-media-devices_31bf3856ad364e35_10.0.15063.0_none_8c7b3251183273c6\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_multipoint-events-files_31bf3856ad364e35_10.0.15063.0_none_2031c0791ee2d67e\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstate_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_f0e3d6caeefec5b8\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft-Windows-HomeGroupDiagnostic.Interop\v4.0_10.0.0.0__31bf3856ad364e35\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..lient-autoappupdate_31bf3856ad364e35_10.0.15063.0_none_b20e995f5f6a3f67\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Fonts\READ-ME-NOW.txt	updated.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_sensorsservicedriver.inf_31bf3856ad364e35_10.0.15063.0_none_7f5fce20205b2dee\READ-ME-NOW.txt	updated.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	16	Go-http-client/1.1

Kills process with taskkill 41 IoCs

evasion

pid	Process
1528	taskkill.exe
2312	taskkill.exe
2864	taskkill.exe
2160	taskkill.exe
2132	taskkill.exe
1128	taskkill.exe
1976	taskkill.exe
4164	taskkill.exe
312	taskkill.exe
1736	taskkill.exe
4552	taskkill.exe
4940	taskkill.exe
1388	taskkill.exe
4480	taskkill.exe
1564	taskkill.exe
4756	taskkill.exe
4148	taskkill.exe
1188	taskkill.exe
228	taskkill.exe
2780	taskkill.exe
2208	taskkill.exe
676	taskkill.exe
1692	taskkill.exe
3864	taskkill.exe
1020	taskkill.exe
1720	taskkill.exe
2640	taskkill.exe
3048	taskkill.exe
376	taskkill.exe
2564	taskkill.exe
4308	taskkill.exe
60	taskkill.exe
752	taskkill.exe
4192	taskkill.exe
3284	taskkill.exe
3140	taskkill.exe
880	taskkill.exe
2120	taskkill.exe
2184	taskkill.exe
3976	taskkill.exe
3288	taskkill.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3292	4640	updated.exe	77
PID 4640 wrote to memory of 3292	4640	updated.exe	77
PID 4640 wrote to memory of 3292	4640	updated.exe	77
PID 4640 wrote to memory of 4164	4640	updated.exe	79
PID 4640 wrote to memory of 4164	4640	updated.exe	79
PID 4640 wrote to memory of 4164	4640	updated.exe	79
PID 4640 wrote to memory of 4148	4640	updated.exe	80
PID 4640 wrote to memory of 4148	4640	updated.exe	80
PID 4640 wrote to memory of 4148	4640	updated.exe	80
PID 4640 wrote to memory of 3140	4640	updated.exe	82
PID 4640 wrote to memory of 3140	4640	updated.exe	82
PID 4640 wrote to memory of 3140	4640	updated.exe	82
PID 4640 wrote to memory of 3048	4640	updated.exe	84
PID 4640 wrote to memory of 3048	4640	updated.exe	84
PID 4640 wrote to memory of 3048	4640	updated.exe	84
PID 4640 wrote to memory of 676	4640	updated.exe	87
PID 4640 wrote to memory of 676	4640	updated.exe	87
PID 4640 wrote to memory of 676	4640	updated.exe	87
PID 4640 wrote to memory of 880	4640	updated.exe	88
PID 4640 wrote to memory of 880	4640	updated.exe	88
PID 4640 wrote to memory of 880	4640	updated.exe	88
PID 4640 wrote to memory of 376	4640	updated.exe	90
PID 4640 wrote to memory of 376	4640	updated.exe	90
PID 4640 wrote to memory of 376	4640	updated.exe	90
PID 4640 wrote to memory of 1188	4640	updated.exe	92
PID 4640 wrote to memory of 1188	4640	updated.exe	92
PID 4640 wrote to memory of 1188	4640	updated.exe	92
PID 4640 wrote to memory of 1388	4640	updated.exe	94
PID 4640 wrote to memory of 1388	4640	updated.exe	94
PID 4640 wrote to memory of 1388	4640	updated.exe	94
PID 4640 wrote to memory of 1528	4640	updated.exe	96
PID 4640 wrote to memory of 1528	4640	updated.exe	96
PID 4640 wrote to memory of 1528	4640	updated.exe	96
PID 4640 wrote to memory of 1720	4640	updated.exe	97
PID 4640 wrote to memory of 1720	4640	updated.exe	97
PID 4640 wrote to memory of 1720	4640	updated.exe	97
PID 4640 wrote to memory of 1692	4640	updated.exe	98
PID 4640 wrote to memory of 1692	4640	updated.exe	98
PID 4640 wrote to memory of 1692	4640	updated.exe	98
PID 4640 wrote to memory of 312	4640	updated.exe	101
PID 4640 wrote to memory of 312	4640	updated.exe	101
PID 4640 wrote to memory of 312	4640	updated.exe	101
PID 4640 wrote to memory of 2120	4640	updated.exe	103
PID 4640 wrote to memory of 2120	4640	updated.exe	103
PID 4640 wrote to memory of 2120	4640	updated.exe	103
PID 4640 wrote to memory of 1736	4640	updated.exe	106
PID 4640 wrote to memory of 1736	4640	updated.exe	106
PID 4640 wrote to memory of 1736	4640	updated.exe	106
PID 4640 wrote to memory of 4480	4640	updated.exe	107
PID 4640 wrote to memory of 4480	4640	updated.exe	107
PID 4640 wrote to memory of 4480	4640	updated.exe	107
PID 4640 wrote to memory of 2312	4640	updated.exe	112
PID 4640 wrote to memory of 2312	4640	updated.exe	112
PID 4640 wrote to memory of 2312	4640	updated.exe	112
PID 4640 wrote to memory of 2564	4640	updated.exe	111
PID 4640 wrote to memory of 2564	4640	updated.exe	111
PID 4640 wrote to memory of 2564	4640	updated.exe	111
PID 4640 wrote to memory of 3864	4640	updated.exe	114
PID 4640 wrote to memory of 3864	4640	updated.exe	114
PID 4640 wrote to memory of 3864	4640	updated.exe	114
PID 4640 wrote to memory of 2864	4640	updated.exe	115
PID 4640 wrote to memory of 2864	4640	updated.exe	115
PID 4640 wrote to memory of 2864	4640	updated.exe	115
PID 4640 wrote to memory of 2640	4640	updated.exe	116

C:\Users\Admin\AppData\Local\Temp\updated.exe
"C:\Users\Admin\AppData\Local\Temp\updated.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\mode.com
  mode con cp select=125 vssadmin delete shadows /all
  2⤵
  PID:3292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im msaccess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mspub.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocssd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im tbirdconfig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlbrowser.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mydesktopqos.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbsnmp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thebat64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thunderdird.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqbcoreservice.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im encsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im winword.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im dbeng50.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocomm.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im ocautoupds.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im firefoxconfig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im visio.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlservr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im infopath.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im thebat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im excel.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mysqld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im powerpnt.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im msftesql.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im xfsssvccon.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im outlook.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im onenote.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im notepad++.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im synctime.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im agntsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mysql-nt.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im wordpad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im isqlplussvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mydesktopservice.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im oracle.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im steam.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mysql-opt.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\mode.com
  mode con cp select=125 vssadmin delete shadows /all
  2⤵
  PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4640-2-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download