Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14/04/2021, 06:42
Static task
static1
windows7_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
General
-
Target
-
Size
1.3MB
-
MD5
645d774a869c582b2c46beed455321d4
-
SHA1
e94862c25377373f54ce668051df0d95d3746514
-
SHA256
21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4
-
SHA512
2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81
Malware Config
Extracted
Path
C:\Users\Public\Desktop\Decrypt-me.txt
Ransom Note
All Your Files Has Been Encrypted
You Have to Pay to Get Your Files Back
1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss
Our Email:[email protected]
in Case of no Answer:[email protected]
Emails
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui [email protected] File opened for modification C:\Windows\SysWOW64\drivers\gm.dls [email protected] File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui [email protected] File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui [email protected] -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\UseUpdate.tiff [email protected] -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini [email protected] -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini [email protected] File opened for modification C:\Users\Public\Downloads\desktop.ini [email protected] File opened for modification C:\Windows\Media\Afternoon\Desktop.ini [email protected] File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini [email protected] File opened for modification C:\Users\Public\desktop.ini [email protected] File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini [email protected] File opened for modification C:\Users\Admin\Videos\desktop.ini [email protected] File opened for modification C:\Windows\Downloaded Program Files\desktop.ini [email protected] File created C:\Program Files\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini [email protected] File opened for modification C:\Users\Public\Music\desktop.ini [email protected] File opened for modification C:\Windows\Media\Garden\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Music\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\Users\Public\Desktop\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Downloads\desktop.ini [email protected] File opened for modification C:\Windows\Media\Landscape\Desktop.ini [email protected] File opened for modification C:\Windows\Media\Raga\Desktop.ini [email protected] File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini [email protected] File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini [email protected] File opened for modification C:\Users\Public\Videos\desktop.ini [email protected] File opened for modification C:\Windows\Offline Web Pages\desktop.ini [email protected] File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini [email protected] File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini [email protected] File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini [email protected] File opened for modification C:\Windows\Media\Savanna\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini [email protected] File opened for modification C:\Windows\Media\Festival\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini [email protected] File opened for modification C:\Windows\assembly\Desktop.ini [email protected] File opened for modification C:\Windows\Media\Delta\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini [email protected] File opened for modification C:\Users\Public\Libraries\desktop.ini [email protected] File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini [email protected] File opened for modification C:\Users\Admin\Desktop\desktop.ini [email protected] File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini [email protected] File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Vault.dll [email protected] File opened for modification C:\Windows\SysWOW64\winbrand.dll [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ProfessionalEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGEUM.GPD [email protected] File opened for modification C:\Windows\SysWOW64\C_20105.NLS [email protected] File opened for modification C:\Windows\SysWOW64\dxva2.dll [email protected] File opened for modification C:\Windows\SysWOW64\scrptadm.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GE1311E3.PPD [email protected] File opened for modification C:\Windows\SysWOW64\networkexplorer.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.PNF [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS2000.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\prnin003.cat [email protected] File opened for modification C:\Windows\SysWOW64\qdvd.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_neutral_ece4b1cc5aee6a38\mdmnttme.inf [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8400T.XML [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA7.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR4171E3.PPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\OKML491.GPD [email protected] File opened for modification C:\Windows\SysWOW64\gpprnext.dll [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~sv-SE~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpd7500t.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\mxdwdui.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA255B6.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF31353.PPD [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7UJAA.ICM [email protected] File opened for modification C:\Windows\SysWOW64\irprops.cpl [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\BrSerIb.sys [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\prnkm005.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml455.ppd [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC1RWSL.PPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC5200F.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFC6000.GPD [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS5000B.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2700T.GPD [email protected] File opened for modification C:\Windows\SysWOW64\wshext.dll [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\SysWOW64\pcl.sep [email protected] File opened for modification C:\Windows\System32\DriverStore\en-US\wialx006.inf_loc [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC410D.GPD [email protected] File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll [email protected] File opened for modification C:\Windows\SysWOW64\C_28595.NLS [email protected] File opened for modification C:\Windows\SysWOW64\dmdskres.dll [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\lsi_sas2.inf [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\Amd64\BRQL105.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\prnca00e.cat [email protected] File opened for modification C:\Windows\SysWOW64\rendezvousSession.tlb [email protected] File opened for modification C:\Windows\SysWOW64\WMVCORE.DLL [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPDJ5550.CFG [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYUD2020.GDL [email protected] File opened for modification C:\Windows\System32\DriverStore\en-US\memory.inf_loc [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3055F.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR30106.GPD [email protected] File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.PNF [email protected] File opened for modification C:\Windows\SysWOW64\sppc.dll [email protected] File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Starter-Client-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat [email protected] -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MANUAL.ICO [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui [email protected] File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Fortaleza [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV [email protected] File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT [email protected] File created C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Mozilla Firefox\libEGL.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar [email protected] File opened for modification C:\Program Files\Java\jre7\lib\cmm\PYCC.pf [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF [email protected] File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[[email protected]][MJ-AE7580931642].hydra [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files\Java\jre7\lib\zi\Australia\Currie.[[email protected]][MJ-AE7580931642].hydra [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\mscss7en.dll.[[email protected]][MJ-AE7580931642].hydra [email protected] -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_x86.dll.mui [email protected] File opened for modification C:\Windows\Logs\DISM\dism.log [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx [email protected] File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.resx [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.DirectoryServices.Protocols.dll [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.cat [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\55389b61c315fb0ad52077f949c7a8dc\System.Data.ni.dll.aux [email protected] File opened for modification C:\Windows\Fonts\coureg.fon [email protected] File opened for modification C:\Windows\Fonts\SNAP____.TTF [email protected] File opened for modification C:\Windows\Media\Cityscape\Windows Logoff Sound.wav [email protected] File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.Powershell.Commands.Management\v4.0_1.0.0.0__31bf3856ad364e35\policy.1.0.Microsoft.Powershell.Commands.Management.dll [email protected] File opened for modification C:\Windows\Help\Windows\en-US\locate.h1s [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet.mof.uninstall [email protected] File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log [email protected] File opened for modification C:\Windows\Cursors\aero_helpsel_l.cur [email protected] File opened for modification C:\Windows\diagnostics\index\WindowsMediaPlayerMediaLibrary.xml [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state_perf.h [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\caspol.exe.config [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Reflection.context.dll [email protected] File opened for modification C:\Windows\Fonts\ssef874.fon [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Entity.dll [email protected] File opened for modification C:\Windows\Cursors\size3_im.cur [email protected] File opened for modification C:\Windows\inf\prnep003.PNF [email protected] File opened for modification C:\Windows\inf\MSDTC\msdtcprf.h [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.WebRequest.dll [email protected] File opened for modification C:\Windows\Cursors\aero_pen_xl.cur [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Shell-SoundThemes-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum [email protected] File opened for modification C:\Windows\servicing\Packages\Package_for_KB2999226_SP1~31bf3856ad364e35~amd64~~6.1.1.7.cat [email protected] File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.mum [email protected] File opened for modification C:\Windows\Speech\Engines\SR\en-GB\AF032057.am [email protected] File opened for modification C:\Windows\Fonts\gautamib.ttf [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe [email protected] File opened for modification C:\Windows\PLA\Reports\Report.System.Configuration.xml [email protected] File opened for modification C:\Windows\Resources\Themes\architecture.theme [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.mum [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\60b93ce08d30a2fba087f8630a504cb8\System.ServiceModel.Web.ni.dll.aux [email protected] File opened for modification C:\Windows\inf\unknown.PNF [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\PresentationFramework.Royale.ni.dll.aux [email protected] File opened for modification C:\Windows\inf\mdmlasat.inf [email protected] File opened for modification C:\Windows\inf\prnep002.inf [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\LocalizedData.xml [email protected] File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\System.Numerics.ni.dll.aux [email protected] File opened for modification C:\Windows\inf\SMSvcHost 3.0.0.0\_SMSvcHostPerfCounters.h [email protected] File opened for modification C:\Windows\Media\Cityscape\Windows Battery Low.wav [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb [email protected] File opened for modification C:\Windows\servicing\Packages\Package_for_KB976932~31bf3856ad364e35~amd64~~6.1.0.17514.cat [email protected] File opened for modification C:\Windows\inf\.NET Data Provider for SqlServer\0000\_dataperfcounters_shared12_neutral_D.ini [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\GlobalResources.resx [email protected] File opened for modification C:\Windows\assembly\GAC_MSIL\mcstore\6.1.0.0__31bf3856ad364e35\mcstore.dll [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe.aux [email protected] File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\afee8437a90f473862f2d364b3669041\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux [email protected] File opened for modification C:\Windows\Fonts\verdana.ttf [email protected] File opened for modification C:\Windows\Fonts\vgaoem.fon [email protected] File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\policy.12.0.Microsoft.Office.Interop.InfoPath.dll [email protected] File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\821d4406efa3556465e6244fae26b536\System.Security.ni.dll [email protected] File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll [email protected] File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll [email protected] File opened for modification C:\Windows\servicing\GC64\tzupd.exe [email protected] -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] 1676 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1984 1676 [email protected] 27 PID 1676 wrote to memory of 1984 1676 [email protected] 27 PID 1676 wrote to memory of 1984 1676 [email protected] 27 PID 1676 wrote to memory of 1984 1676 [email protected] 27 PID 1984 wrote to memory of 1964 1984 cmd.exe 29 PID 1984 wrote to memory of 1964 1984 cmd.exe 29 PID 1984 wrote to memory of 1964 1984 cmd.exe 29 PID 1984 wrote to memory of 1964 1984 cmd.exe 29 PID 1964 wrote to memory of 1956 1964 net.exe 30 PID 1964 wrote to memory of 1956 1964 net.exe 30 PID 1964 wrote to memory of 1956 1964 net.exe 30 PID 1964 wrote to memory of 1956 1964 net.exe 30 PID 1676 wrote to memory of 1936 1676 [email protected] 31 PID 1676 wrote to memory of 1936 1676 [email protected] 31 PID 1676 wrote to memory of 1936 1676 [email protected] 31 PID 1676 wrote to memory of 1936 1676 [email protected] 31 PID 1676 wrote to memory of 1700 1676 [email protected] 33 PID 1676 wrote to memory of 1700 1676 [email protected] 33 PID 1676 wrote to memory of 1700 1676 [email protected] 33 PID 1676 wrote to memory of 1700 1676 [email protected] 33 PID 1676 wrote to memory of 1756 1676 [email protected] 35 PID 1676 wrote to memory of 1756 1676 [email protected] 35 PID 1676 wrote to memory of 1756 1676 [email protected] 35 PID 1676 wrote to memory of 1756 1676 [email protected] 35 PID 1676 wrote to memory of 2024 1676 [email protected] 37 PID 1676 wrote to memory of 2024 1676 [email protected] 37 PID 1676 wrote to memory of 2024 1676 [email protected] 37 PID 1676 wrote to memory of 2024 1676 [email protected] 37 PID 2024 wrote to memory of 2036 2024 cmd.exe 39 PID 2024 wrote to memory of 2036 2024 cmd.exe 39 PID 2024 wrote to memory of 2036 2024 cmd.exe 39 PID 2024 wrote to memory of 2036 2024 cmd.exe 39 PID 2036 wrote to memory of 2012 2036 net.exe 40 PID 2036 wrote to memory of 2012 2036 net.exe 40 PID 2036 wrote to memory of 2012 2036 net.exe 40 PID 2036 wrote to memory of 2012 2036 net.exe 40 PID 1676 wrote to memory of 1280 1676 [email protected] 41 PID 1676 wrote to memory of 1280 1676 [email protected] 41 PID 1676 wrote to memory of 1280 1676 [email protected] 41 PID 1676 wrote to memory of 1280 1676 [email protected] 41 PID 1280 wrote to memory of 1312 1280 cmd.exe 43 PID 1280 wrote to memory of 1312 1280 cmd.exe 43 PID 1280 wrote to memory of 1312 1280 cmd.exe 43 PID 1280 wrote to memory of 1312 1280 cmd.exe 43 PID 1312 wrote to memory of 1308 1312 net.exe 44 PID 1312 wrote to memory of 1308 1312 net.exe 44 PID 1312 wrote to memory of 1308 1312 net.exe 44 PID 1312 wrote to memory of 1308 1312 net.exe 44 PID 1676 wrote to memory of 1200 1676 [email protected] 45 PID 1676 wrote to memory of 1200 1676 [email protected] 45 PID 1676 wrote to memory of 1200 1676 [email protected] 45 PID 1676 wrote to memory of 1200 1676 [email protected] 45 PID 1200 wrote to memory of 1516 1200 cmd.exe 47 PID 1200 wrote to memory of 1516 1200 cmd.exe 47 PID 1200 wrote to memory of 1516 1200 cmd.exe 47 PID 1200 wrote to memory of 1516 1200 cmd.exe 47 PID 1516 wrote to memory of 316 1516 net.exe 48 PID 1516 wrote to memory of 316 1516 net.exe 48 PID 1516 wrote to memory of 316 1516 net.exe 48 PID 1516 wrote to memory of 316 1516 net.exe 48 PID 1676 wrote to memory of 268 1676 [email protected] 49 PID 1676 wrote to memory of 268 1676 [email protected] 49 PID 1676 wrote to memory of 268 1676 [email protected] 49 PID 1676 wrote to memory of 268 1676 [email protected] 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵PID:1956
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵PID:1756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵PID:2012
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1308
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵PID:316
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵PID:268
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵PID:1384
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵PID:1492
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵PID:816
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:932
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵PID:1784
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵PID:748
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵PID:240
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵PID:1708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1720
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵PID:1724
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵PID:2044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵PID:2024
-
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:816
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵PID:240
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Decrypt-me.txt1⤵PID:828