xmrig | 21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4

General

Target

wyooy@aol.com.exe
Size

1.3MB
MD5

645d774a869c582b2c46beed455321d4
SHA1

e94862c25377373f54ce668051df0d95d3746514
SHA256

21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4
SHA512

2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81

Score

10^/10

xmrig evasion miner ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Decrypt-me.txt

Ransom Note

All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key) 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:wyooy@tutanota.com in Case of no Answer:wyooy@aol.com

Emails

Email:wyooy@tutanota.com

Answer:wyooy@aol.com

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	wyooy@aol.com.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

wyooy@aol.com.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\UseUpdate.tiff wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UseUpdate.tiff	wyooy@aol.com.exe

Drops startup file 1 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wyooy@aol.com.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\desktop.ini	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	wyooy@aol.com.exe
File created	C:\Program Files\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wyooy@aol.com.exe

Drops file in System32 directory 64 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Vault.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\winbrand.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ProfessionalEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGEUM.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\C_20105.NLS	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\dxva2.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\scrptadm.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GE1311E3.PPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\networkexplorer.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.PNF	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS2000.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\prnin003.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\qdvd.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_neutral_ece4b1cc5aee6a38\mdmnttme.inf	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8400T.XML	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA7.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR4171E3.PPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\OKML491.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\gpprnext.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~sv-SE~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpd7500t.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\mxdwdui.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA255B6.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF31353.PPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7UJAA.ICM	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\irprops.cpl	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\BrSerIb.sys	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\prnkm005.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml455.ppd	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC1RWSL.PPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC5200F.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFC6000.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS5000B.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2700T.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\wshext.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\pcl.sep	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wialx006.inf_loc	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC410D.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\C_28595.NLS	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\dmdskres.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\lsi_sas2.inf	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\Amd64\BRQL105.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\prnca00e.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\rendezvousSession.tlb	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\WMVCORE.DLL	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPDJ5550.CFG	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYUD2020.GDL	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\memory.inf_loc	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3055F.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR30106.GPD	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.PNF	wyooy@aol.com.exe
File opened for modification	C:\Windows\SysWOW64\sppc.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Starter-Client-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	wyooy@aol.com.exe

Drops file in Program Files directory 64 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MANUAL.ICO	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	wyooy@aol.com.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT	wyooy@aol.com.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\axvlc.dll	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Currie.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\mscss7en.dll.[wyooy@tutanota.com][MJ-AE7580931642].hydra	wyooy@aol.com.exe

Drops file in Windows directory 64 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_x86.dll.mui	wyooy@aol.com.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.resx	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.DirectoryServices.Protocols.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\55389b61c315fb0ad52077f949c7a8dc\System.Data.ni.dll.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\coureg.fon	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\SNAP____.TTF	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Logoff Sound.wav	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.Powershell.Commands.Management\v4.0_1.0.0.0__31bf3856ad364e35\policy.1.0.Microsoft.Powershell.Commands.Management.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Help\Windows\en-US\locate.h1s	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet.mof.uninstall	wyooy@aol.com.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	wyooy@aol.com.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_l.cur	wyooy@aol.com.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsMediaPlayerMediaLibrary.xml	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state_perf.h	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\caspol.exe.config	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.context.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\ssef874.fon	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Entity.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Cursors\size3_im.cur	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\prnep003.PNF	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\MSDTC\msdtcprf.h	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.WebRequest.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Cursors\aero_pen_xl.cur	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-SoundThemes-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Package_for_KB2999226_SP1~31bf3856ad364e35~amd64~~6.1.1.7.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.mum	wyooy@aol.com.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-GB\AF032057.am	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\gautamib.ttf	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	wyooy@aol.com.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Configuration.xml	wyooy@aol.com.exe
File opened for modification	C:\Windows\Resources\Themes\architecture.theme	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.mum	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\60b93ce08d30a2fba087f8630a504cb8\System.ServiceModel.Web.ni.dll.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\unknown.PNF	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\PresentationFramework.Royale.ni.dll.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\mdmlasat.inf	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\prnep002.inf	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\LocalizedData.xml	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\System.Numerics.ni.dll.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\SMSvcHost 3.0.0.0\_SMSvcHostPerfCounters.h	wyooy@aol.com.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Battery Low.wav	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\Packages\Package_for_KB976932~31bf3856ad364e35~amd64~~6.1.0.17514.cat	wyooy@aol.com.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for SqlServer\0000\_dataperfcounters_shared12_neutral_D.ini	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\GlobalResources.resx	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcstore\6.1.0.0__31bf3856ad364e35\mcstore.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\afee8437a90f473862f2d364b3669041\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\verdana.ttf	wyooy@aol.com.exe
File opened for modification	C:\Windows\Fonts\vgaoem.fon	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\policy.12.0.Microsoft.Office.Interop.InfoPath.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\821d4406efa3556465e6244fae26b536\System.Security.ni.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll	wyooy@aol.com.exe
File opened for modification	C:\Windows\servicing\GC64\tzupd.exe	wyooy@aol.com.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

wyooy@aol.com.exe

pid	process
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe
1676	wyooy@aol.com.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wyooy@aol.com.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1676 wrote to memory of 1984	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1984	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1984	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1984	1676	wyooy@aol.com.exe	cmd.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	net.exe
PID 1964 wrote to memory of 1956	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1956	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1956	1964	net.exe	net1.exe
PID 1964 wrote to memory of 1956	1964	net.exe	net1.exe
PID 1676 wrote to memory of 1936	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1936	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1936	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1936	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1700	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1700	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1700	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1700	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1756	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1756	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1756	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1756	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 2024	1676	wyooy@aol.com.exe	cmd.exe
PID 2024 wrote to memory of 2036	2024	cmd.exe	net.exe
PID 2024 wrote to memory of 2036	2024	cmd.exe	net.exe
PID 2024 wrote to memory of 2036	2024	cmd.exe	net.exe
PID 2024 wrote to memory of 2036	2024	cmd.exe	net.exe
PID 2036 wrote to memory of 2012	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2012	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2012	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2012	2036	net.exe	net1.exe
PID 1676 wrote to memory of 1280	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1280	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1280	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1280	1676	wyooy@aol.com.exe	cmd.exe
PID 1280 wrote to memory of 1312	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 1312	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 1312	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 1312	1280	cmd.exe	net.exe
PID 1312 wrote to memory of 1308	1312	net.exe	net1.exe
PID 1312 wrote to memory of 1308	1312	net.exe	net1.exe
PID 1312 wrote to memory of 1308	1312	net.exe	net1.exe
PID 1312 wrote to memory of 1308	1312	net.exe	net1.exe
PID 1676 wrote to memory of 1200	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1200	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1200	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 1200	1676	wyooy@aol.com.exe	cmd.exe
PID 1200 wrote to memory of 1516	1200	cmd.exe	net.exe
PID 1200 wrote to memory of 1516	1200	cmd.exe	net.exe
PID 1200 wrote to memory of 1516	1200	cmd.exe	net.exe
PID 1200 wrote to memory of 1516	1200	cmd.exe	net.exe
PID 1516 wrote to memory of 316	1516	net.exe	net1.exe
PID 1516 wrote to memory of 316	1516	net.exe	net1.exe
PID 1516 wrote to memory of 316	1516	net.exe	net1.exe
PID 1516 wrote to memory of 316	1516	net.exe	net1.exe
PID 1676 wrote to memory of 268	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 268	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 268	1676	wyooy@aol.com.exe	cmd.exe
PID 1676 wrote to memory of 268	1676	wyooy@aol.com.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe
"C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:268

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:1384

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:1784

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:240

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:1724

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:2044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:2024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
PID:240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Decrypt-me.txt
1⤵
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\Decrypt-me.txt
MD5
9fb2e4621acbbc520e21de632778f6c3

SHA1
5dff477edace5d0633dbf50bf40d1467cb990347

SHA256
a0b9230abf9594ed35a5b83aab32c6515f560ff6ed66e070a10ce107fcf3fb4d

SHA512
fb3f71c005a2677deeefebd6019dd51aaf0e70235d87a78886e228113cd594f73b1860785d888b1c94cb9dc1c77344848f0cbf322a61d048fb99c9816c10f088

Download Submit
memory/240-86-0x0000000000000000-mapping.dmp

Download
memory/268-74-0x0000000000000000-mapping.dmp

Download
memory/316-73-0x0000000000000000-mapping.dmp

Download
memory/576-76-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/576-75-0x0000000000000000-mapping.dmp

Download
memory/616-85-0x0000000000000000-mapping.dmp

Download
memory/624-78-0x0000000000000000-mapping.dmp

Download
memory/748-84-0x0000000000000000-mapping.dmp

Download
memory/816-92-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/816-81-0x0000000000000000-mapping.dmp

Download
memory/932-82-0x0000000000000000-mapping.dmp

Download
memory/1200-71-0x0000000000000000-mapping.dmp

Download
memory/1280-68-0x0000000000000000-mapping.dmp

Download
memory/1308-70-0x0000000000000000-mapping.dmp

Download
memory/1312-69-0x0000000000000000-mapping.dmp

Download
memory/1384-77-0x0000000000000000-mapping.dmp

Download
memory/1492-80-0x0000000000000000-mapping.dmp

Download
memory/1516-72-0x0000000000000000-mapping.dmp

Download
memory/1700-63-0x0000000000000000-mapping.dmp

Download
memory/1708-87-0x0000000000000000-mapping.dmp

Download
memory/1720-88-0x0000000000000000-mapping.dmp

Download
memory/1724-89-0x0000000000000000-mapping.dmp

Download
memory/1756-64-0x0000000000000000-mapping.dmp

Download
memory/1784-83-0x0000000000000000-mapping.dmp

Download
memory/1936-62-0x0000000000000000-mapping.dmp

Download
memory/1956-61-0x0000000000000000-mapping.dmp

Download
memory/1964-60-0x0000000000000000-mapping.dmp

Download
memory/1984-59-0x0000000000000000-mapping.dmp

Download
memory/2012-67-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x0000000000000000-mapping.dmp

Download
memory/2024-91-0x0000000000000000-mapping.dmp

Download
memory/2036-66-0x0000000000000000-mapping.dmp

Download
memory/2044-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads