ouroboros | 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

Analysis

max time kernel
59s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
Size

997KB
MD5

ba454585b9f42c7254c931c192556e08
SHA1

0b530303634283a43d53abd9190106869f57ba5a
SHA256

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa
SHA512

2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MTLR0RV\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	5	http://www.sfml-dev.org/ip-provider.php
HTTP URL	11	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.msi.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\PREVIEW.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\psmachine_64.dll.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][ID-0GKEFCYLMU1S7W9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Publisher\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Publisher.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\explorer.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8df695fb80187f65208d87229e81e8a2\Microsoft.PowerShell.Commands.Management.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiWUapi\6.1.0.0__31bf3856ad364e35\ehiWUapi.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SrpUxSnapIn\593c2939737f10fc236c7b4de35271bc\SrpUxSnapIn.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\165d0873203da280298bfcfa50567a0b\System.Web.Routing.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfd.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3008a05e2928e2c1d856cc34e0422c17\Microsoft.PowerShell.Commands.Utility.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\WindowsBase\40864f42b00635e6fa6ce8da88d9ab83\WindowsBase.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.RuntimeUi.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SecurityAuditPolici#\0d274000ebb641e36382e2f19bb64f4e\SecurityAuditPoliciesSnapIn.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiBmlDataCarousel\99c61751c71078d92ff372495bc38fc3\ehiBmlDataCarousel.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiUPnP\6.1.0.0__31bf3856ad364e35\ehiUPnP.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.Intl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\0e5bae8f265fbbbf53e8ca79d159cd6d\PresentationFramework.Luna.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Design\d42a48a3e73b472a80d0d44038af89b0\System.Design.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\pubpol42.dat	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Instrumentation\3.5.0.0__b77a5c561934e089\System.Management.Instrumentation.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3d4632e11d04d8db85c98485b1622bae\Microsoft.Ink.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napinit.resources\6.1.0.0_en_31bf3856ad364e35\napinit.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4c0fa9d495ac562afcb136f3e9a87cb9\Microsoft.Build.Framework.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Ink.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\a63e76cc86c8958f0f3e9741c0d89f14\System.Web.Entity.Design.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\dc575bdefe4a3442f165f8418535d9af\Microsoft.Office.BusinessApplications.Runtime.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\5efdf2ce3570caddc09eeae943f71cee\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\5d81c3e6fa9f3f78cd8d06d8cf2caff0\System.Data.Services.Client.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\TaskScheduler\99797e9500ed7bfa6b06063e7f017313\TaskScheduler.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\569e273efda8306ec7e22143d5285476\MIGUIControls.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Applicati#\74c8f5e75ec10458436bb476c2cfd9fc\Microsoft.ApplicationId.RuleWizard.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.ComponentMod#\560cb6a2e8f4877877b11de7c1f07d42\System.ComponentModel.DataAnnotations.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

NTFS ADS 20 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\System Volume Information\4537d782-9a0d-11eb-a52e-c2ebb310cb62\ꞔ痼"쀀\ꞔ痼:쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ痼"쀀\ꞔ痼:쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\ꞔ痼"쀀䲐+䮠+ꨚ痼\ꞔ痼:쀀))ꨚ痼	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\"쀀񾀱񾀱ꨚ痼\:쀀嫠7嫠7ꨚ痼\:쀀嬀7嬀7ꨚ痼\3쀀嬠7嬠7ꨚ痼\3쀀孀7孀7ꨚ痼\3쀀孠7孠7ꨚ痼\3쀀宀7宀7ꨚ痼\3쀀宠7宠7ꨚ痼\3쀀寀7寀7ꨚ痼\3쀀寠7寠7ꨚ痼\3쀀尀7尀7ꨚ痼\3쀀尠7尠7ꨚ痼\3쀀局7局7ꨚ痼\3쀀屠7屠7ꨚ痼\3쀀岀7岀7ꨚ痼\3쀀岠7岠7ꨚ痼\Ɓ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ痼"쀀\ꞔ痼:쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\"쀀񸀱񸀱ꨚ痼\:쀀嫠7嫠7ꨚ痼\:쀀嬀7嬀7ꨚ痼\3쀀嬠7嬠7ꨚ痼\3쀀孀7孀7ꨚ痼\3쀀孠7孠7ꨚ痼\3쀀宀7宀7ꨚ痼\3쀀宠7宠7ꨚ痼\3쀀寀7寀7ꨚ痼\3쀀寠7寠7ꨚ痼\3쀀尀7尀7ꨚ痼\3쀀尠7尠7ꨚ痼\ƀ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\"쀀詈+詈+ꨚ痼\:쀀))ꨚ痼\:쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀))ꨚ痼\3쀀)	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\ꞔ痼"쀀\ꞔ痼:쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ痼"쀀\ꞔ痼:쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\System Volume Information\4537d782-9a0d-11eb-a52e-c2ebb310cb62\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ痼"쀀\ꞔ痼:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeSecurityPrivilege	1536	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1364	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	27
PID 1888 wrote to memory of 1364	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	27
PID 1888 wrote to memory of 1364	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	27
PID 1888 wrote to memory of 1364	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	27
PID 1364 wrote to memory of 1520	1364	cmd.exe	29
PID 1364 wrote to memory of 1520	1364	cmd.exe	29
PID 1364 wrote to memory of 1520	1364	cmd.exe	29
PID 1364 wrote to memory of 1520	1364	cmd.exe	29
PID 1520 wrote to memory of 1976	1520	net.exe	30
PID 1520 wrote to memory of 1976	1520	net.exe	30
PID 1520 wrote to memory of 1976	1520	net.exe	30
PID 1520 wrote to memory of 1976	1520	net.exe	30
PID 1888 wrote to memory of 1960	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	31
PID 1888 wrote to memory of 1960	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	31
PID 1888 wrote to memory of 1960	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	31
PID 1888 wrote to memory of 1960	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	31
PID 1960 wrote to memory of 1836	1960	cmd.exe	33
PID 1960 wrote to memory of 1836	1960	cmd.exe	33
PID 1960 wrote to memory of 1836	1960	cmd.exe	33
PID 1960 wrote to memory of 1836	1960	cmd.exe	33
PID 1836 wrote to memory of 1784	1836	net.exe	34
PID 1836 wrote to memory of 1784	1836	net.exe	34
PID 1836 wrote to memory of 1784	1836	net.exe	34
PID 1836 wrote to memory of 1784	1836	net.exe	34
PID 1888 wrote to memory of 1780	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	35
PID 1888 wrote to memory of 1780	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	35
PID 1888 wrote to memory of 1780	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	35
PID 1888 wrote to memory of 1780	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	35
PID 1780 wrote to memory of 1772	1780	cmd.exe	37
PID 1780 wrote to memory of 1772	1780	cmd.exe	37
PID 1780 wrote to memory of 1772	1780	cmd.exe	37
PID 1780 wrote to memory of 1772	1780	cmd.exe	37
PID 1772 wrote to memory of 1544	1772	net.exe	38
PID 1772 wrote to memory of 1544	1772	net.exe	38
PID 1772 wrote to memory of 1544	1772	net.exe	38
PID 1772 wrote to memory of 1544	1772	net.exe	38
PID 1888 wrote to memory of 1676	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	39
PID 1888 wrote to memory of 1676	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	39
PID 1888 wrote to memory of 1676	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	39
PID 1888 wrote to memory of 1676	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	39
PID 1676 wrote to memory of 1624	1676	cmd.exe	41
PID 1676 wrote to memory of 1624	1676	cmd.exe	41
PID 1676 wrote to memory of 1624	1676	cmd.exe	41
PID 1676 wrote to memory of 1624	1676	cmd.exe	41
PID 1624 wrote to memory of 296	1624	net.exe	42
PID 1624 wrote to memory of 296	1624	net.exe	42
PID 1624 wrote to memory of 296	1624	net.exe	42
PID 1624 wrote to memory of 296	1624	net.exe	42
PID 1888 wrote to memory of 796	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	43
PID 1888 wrote to memory of 796	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	43
PID 1888 wrote to memory of 796	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	43
PID 1888 wrote to memory of 796	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	43
PID 796 wrote to memory of 1696	796	cmd.exe	45
PID 796 wrote to memory of 1696	796	cmd.exe	45
PID 796 wrote to memory of 1696	796	cmd.exe	45
PID 796 wrote to memory of 1696	796	cmd.exe	45
PID 1696 wrote to memory of 1672	1696	net.exe	46
PID 1696 wrote to memory of 1672	1696	net.exe	46
PID 1696 wrote to memory of 1672	1696	net.exe	46
PID 1696 wrote to memory of 1672	1696	net.exe	46
PID 1888 wrote to memory of 1068	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	47
PID 1888 wrote to memory of 1068	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	47
PID 1888 wrote to memory of 1068	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	47
PID 1888 wrote to memory of 1068	1888	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	47

C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:480
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:764
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:548
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6C151D2C927C45C29DCADD07EF471C0
  2⤵
  PID:536
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 3339CF2E2018DC0E63E942031A3CB2BA
  2⤵
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-93-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/2028-89-0x0000000075161000-0x0000000075163000-memory.dmp

Filesize
8KB

Download