ouroboros | 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

Analysis

max time kernel
135s
max time network
111s
platform
windows7_x64
resource
win7v20210408
submitted
02/09/2021, 08:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
Size

997KB
MD5

ba454585b9f42c7254c931c192556e08
SHA1

0b530303634283a43d53abd9190106869f57ba5a
SHA256

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa
SHA512

2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExpandCopy.tiff	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Pictures\StopMeasure.tiff	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	4	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.OPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\release	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\preloaded_data.pb.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153273.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304405.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.[stevenxx134@gmail.com][ID-NQEBVTPI7WZ28F9].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Outlook.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.UI\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.UI.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCEx\6d4bacfd54e8f79763945bee5a50711d\MMCEx.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\32088676b4c08d192aae910cac1dade4\System.Data.Entity.Design.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\EventViewer\654c5baca16d72756296ab1d927ea4a8\EventViewer.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\9fa0c0ee9093a5f1aaabffb101332056\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\BDATunePIA.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\Microsoft.Build.Tasks.v3.5.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\e7b8df5d803bb9bd27f63f0074775aaf\Microsoft.MediaCenter.UI.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\eca4310274a7a6ce651b33cd4278610c\UIAutomationClient.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\notepad.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napinit\6.1.0.0__31bf3856ad364e35\NAPINIT.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.BusinessD#\42c8856d883c21388965cd6c8a8b54a1\Microsoft.BusinessData.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\18e41c018ceff36c2512d12f570f0be7\MMCFxCommon.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ab8ac659d9525c6a0cd22c6f3734862f\UIAutomationProvider.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\fveupdate.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\14.0.0.0__71e9bce111e9429c\Microsoft.BusinessData.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting\2.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Excel.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.SmartTag.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_en_31bf3856ad364e35\TaskScheduler.resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\ee28a075665b6bc23b6dae56903d431d\Microsoft.WSMan.Management.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.ITVVM\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.ITVVM.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\14.0.0.0__71e9bce111e9429c\microsoft.office.businessdata.intl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\AcSpecfc.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\de64901e4cd2074f5c70733ab5d7787a\Microsoft.Windows.Diagnosis.SDHost.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework\6.1.0.0__31bf3856ad364e35\Microsoft.ApplicationId.Framework.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.Intl.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\naphlpr\3905ee11acabb6d202a69b8bfa3c91a0\naphlpr.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\system.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiProxy\6.1.0.0__31bf3856ad364e35\ehiProxy.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a933cd1241698e4d13d80c8cb31d7055\System.Data.Services.Client.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\887ef2648686aad19feff405eddbffd2\System.EnterpriseServices.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\56a7faf970109dc1dc6b76f643d93c5f\ehiActivScp.ni.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Graph.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

NTFS ADS 22 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\"쀀ꕨ²ꕨ²ꨚ甝\:쀀䞐±䞐±ꨚ甝\:쀀䞰±䞰±ꨚ甝\3쀀䟐±䟐±ꨚ甝\3쀀䟰±䟰±ꨚ甝\3쀀䠐±䠐±ꨚ甝\耀\3쀀䡐±䡐±ꨚ甝\3쀀䡰±䡰±ꨚ甝\3쀀䢐±䢐±ꨚ甝\ǅ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\"쀀ꖀ²ꖀ²ꨚ甝\:쀀䞐±䞐±ꨚ甝\:쀀䞰±䞰±ꨚ甝\3쀀䟐±䟐±ꨚ甝\3쀀䟰±䟰±ꨚ甝\3쀀䠐±䠐±ꨚ甝\3쀀䠰±䠰±ꨚ甝\3쀀䡐±䡐±ꨚ甝\3쀀䡰±䡰±ꨚ甝\3쀀䢐±䢐±ꨚ甝\3쀀䢰±䢰±ꨚ甝\3쀀䣐±䣐±ꨚ甝\3쀀䣰±䣰±ꨚ甝\3쀀䤐±Őꨚ甝ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\"쀀ꖰ²ꖰ²ꨚ甝\:쀀䞐±䞐±ꨚ甝\:쀀䞰±䞰±ꨚ甝\3쀀䟐±䟐±ꨚ甝\3쀀䟰±䟰±ꨚ甝\3쀀䠐±䠐±ꨚ甝\3쀀䠰±䠰±ꨚ甝\3쀀䡐±䡐±ꨚ甝\3쀀䡰±䡰±ꨚ甝\3쀀䢐±䢐±ꨚ甝\3쀀䢰±䢰±ꨚ甝\3쀀䣐±䣐±ꨚ甝\3쀀䣰±䣰±ꨚ甝\3쀀䤐±䤐±ꨚ甝\3쀀䤰±䤰±ꨚ甝\3쀀䥐±䥐±ꨚ甝\3쀀㯠¼㯠¼ꨚ甝\3쀀㰀¼㰀¼ꨚ甝\3쀀㰠¼㰠¼ꨚ甝\3쀀㱀¼㱀¼ꨚ甝\3쀀㱠¼㱠¼ꨚ甝\3쀀㲀¼Őꨚ甝ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\"쀀꘨²꘨²ꨚ甝\:쀀侘·侘·ꨚ甝\:쀀佘·佘·ꨚ甝\3쀀伸·伸·ꨚ甝\3쀀乸·乸·ꨚ甝\3쀀佸·佸·ꨚ甝\3쀀付·付·ꨚ甝\3쀀仸·仸·ꨚ甝\3쀀亘·亘·ꨚ甝\3쀀优·优·ꨚ甝\3쀀侸·侸·ꨚ甝\3쀀俘·	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\"쀀񂂰񂂰ꨚ甝\:쀀㡐µ㡐µꨚ甝\:쀀㡰µ㡰µꨚ甝\3쀀㢐µ㢐µꨚ甝\3쀀㢰µ㢰µꨚ甝\3쀀㣐µ㣐µꨚ甝\3쀀㣰µ㣰µꨚ甝\3쀀㤐µ㤐µꨚ甝\3쀀㤰µ㤰µꨚ甝\3쀀㥐µ㥐µꨚ甝\3쀀㥰µ㥰µꨚ甝\3쀀㦐µ㦐µꨚ甝\3쀀㦰µ㦰µꨚ甝\3쀀㧐µ㧐µꨚ甝\3쀀㧰µ㧰µꨚ甝\3쀀㨐µ㨐µꨚ甝\3쀀쓰²Őꨚ甝ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\"쀀䯰²䯰²ꨚ甝\:쀀雘ʶ雘ʶꨚ甝\:쀀隸ʶ隸ʶꨚ甝\3쀀雸ʶ雸ʶꨚ甝\3쀀隘ʶ隘ʶꨚ甝\3쀀霘ʶ霘ʶꨚ甝\3쀀霸ʶ霸ʶꨚ甝\3쀀靘ʶ靘ʶꨚ甝\3쀀靸ʶ靸ʶꨚ甝\3쀀鞘ʶ鞘ʶꨚ甝\3쀀鞸ʶ鞸ʶꨚ甝\3쀀韘ʶ韘ʶꨚ甝\耀\3쀀領ʶŐꨚ甝ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\"쀀ꛈ²ꛈ²ꨚ甝\:쀀®®ꨚ甝\:쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\3쀀®®ꨚ甝\Ǘ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ甝"쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ甝"쀀ઘ±ন±ꨚ甝\م\ꞔ甝:쀀®®ꨚ甝	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Documents\Updater6\"쀀ꖘ²ꖘ²ꨚ甝\:쀀䞐±䞐±ꨚ甝\:쀀䞰±䞰±ꨚ甝\3쀀䟐±䟐±ꨚ甝\3쀀䟰±䟰±ꨚ甝\3쀀䠐±䠐±ꨚ甝\3쀀䠰±䠰±ꨚ甝\3쀀䡐±䡐±ꨚ甝\3쀀䡰±䡰±ꨚ甝\3쀀䢐±䢐±ꨚ甝\3쀀䢰±䢰±ꨚ甝\3쀀䣐±䣐±ꨚ甝\3쀀䣰±䣰±ꨚ甝\3쀀䤐±䤐±ꨚ甝\3쀀䤰±䤰±ꨚ甝\Ő䥐±żꨚ甝\3쀀댰¯댰¯ꨚ甝\3쀀덐¯덐¯ꨚ甝\耀\3쀀뎐¯뎐¯ꨚ甝\3쀀뎰¯뎰¯ꨚ甝\3쀀돐¯㠀ꨚ甝㠤	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\"쀀鼀²鼀²ꨚ甝\:쀀®®ꨚ甝\:쀀®	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\"쀀Ꙁ²Ꙁ²ꨚ甝\:쀀侘·侘·ꨚ甝\:쀀佘·佘·ꨚ甝\3쀀伸·伸·ꨚ甝\3쀀乸·乸·ꨚ甝\3쀀佸·佸·ꨚ甝\3쀀付·付·ꨚ甝\3쀀仸·仸·ꨚ甝\3쀀亘·亘·ꨚ甝\3쀀优·优·ꨚ甝\3쀀侸·侸·ꨚ甝\3쀀俘·俘·ꨚ甝\3쀀俸·俸·ꨚ甝\3쀀倘·倘·ꨚ甝\	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ甝"쀀\ꞔ甝:쀀\ꞔ甝:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1664	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	28
PID 1240 wrote to memory of 1664	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	28
PID 1240 wrote to memory of 1664	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	28
PID 1240 wrote to memory of 1664	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	28
PID 1664 wrote to memory of 2032	1664	cmd.exe	31
PID 1664 wrote to memory of 2032	1664	cmd.exe	31
PID 1664 wrote to memory of 2032	1664	cmd.exe	31
PID 1664 wrote to memory of 2032	1664	cmd.exe	31
PID 2032 wrote to memory of 1216	2032	net.exe	33
PID 2032 wrote to memory of 1216	2032	net.exe	33
PID 2032 wrote to memory of 1216	2032	net.exe	33
PID 2032 wrote to memory of 1216	2032	net.exe	33
PID 1240 wrote to memory of 1296	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	34
PID 1240 wrote to memory of 1296	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	34
PID 1240 wrote to memory of 1296	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	34
PID 1240 wrote to memory of 1296	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	34
PID 1296 wrote to memory of 584	1296	cmd.exe	36
PID 1296 wrote to memory of 584	1296	cmd.exe	36
PID 1296 wrote to memory of 584	1296	cmd.exe	36
PID 1296 wrote to memory of 584	1296	cmd.exe	36
PID 584 wrote to memory of 696	584	net.exe	37
PID 584 wrote to memory of 696	584	net.exe	37
PID 584 wrote to memory of 696	584	net.exe	37
PID 584 wrote to memory of 696	584	net.exe	37
PID 1240 wrote to memory of 1764	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	38
PID 1240 wrote to memory of 1764	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	38
PID 1240 wrote to memory of 1764	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	38
PID 1240 wrote to memory of 1764	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	38
PID 1764 wrote to memory of 456	1764	cmd.exe	40
PID 1764 wrote to memory of 456	1764	cmd.exe	40
PID 1764 wrote to memory of 456	1764	cmd.exe	40
PID 1764 wrote to memory of 456	1764	cmd.exe	40
PID 456 wrote to memory of 436	456	net.exe	41
PID 456 wrote to memory of 436	456	net.exe	41
PID 456 wrote to memory of 436	456	net.exe	41
PID 456 wrote to memory of 436	456	net.exe	41
PID 1240 wrote to memory of 1464	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	42
PID 1240 wrote to memory of 1464	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	42
PID 1240 wrote to memory of 1464	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	42
PID 1240 wrote to memory of 1464	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	42
PID 1464 wrote to memory of 1596	1464	cmd.exe	44
PID 1464 wrote to memory of 1596	1464	cmd.exe	44
PID 1464 wrote to memory of 1596	1464	cmd.exe	44
PID 1464 wrote to memory of 1596	1464	cmd.exe	44
PID 1596 wrote to memory of 1352	1596	net.exe	45
PID 1596 wrote to memory of 1352	1596	net.exe	45
PID 1596 wrote to memory of 1352	1596	net.exe	45
PID 1596 wrote to memory of 1352	1596	net.exe	45
PID 1240 wrote to memory of 1984	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	46
PID 1240 wrote to memory of 1984	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	46
PID 1240 wrote to memory of 1984	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	46
PID 1240 wrote to memory of 1984	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	46
PID 1984 wrote to memory of 1536	1984	cmd.exe	48
PID 1984 wrote to memory of 1536	1984	cmd.exe	48
PID 1984 wrote to memory of 1536	1984	cmd.exe	48
PID 1984 wrote to memory of 1536	1984	cmd.exe	48
PID 1536 wrote to memory of 1696	1536	net.exe	49
PID 1536 wrote to memory of 1696	1536	net.exe	49
PID 1536 wrote to memory of 1696	1536	net.exe	49
PID 1536 wrote to memory of 1696	1536	net.exe	49
PID 1240 wrote to memory of 1224	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	50
PID 1240 wrote to memory of 1224	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	50
PID 1240 wrote to memory of 1224	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	50
PID 1240 wrote to memory of 1224	1240	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	50

C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:768
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1504

Network

DNS

www.sfml-dev.org

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Remote address:

8.8.8.8:53

Request

www.sfml-dev.org

IN A

Response

www.sfml-dev.org

IN CNAME

sfml-dev.org

sfml-dev.org

IN A

78.47.82.133
GET

http://www.sfml-dev.org/ip-provider.php

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Remote address:

78.47.82.133:80

Request

GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x

Response

HTTP/1.1 200 OK

Date: Thu, 02 Sep 2021 08:20:52 GMT
Server: Apache
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.sfml-dev.org www.gstatic.com www.google.com www.google-analytics.com ssl.google-analytics.com; connect-src 'self' www.google-analytics.com; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' *.sfml-dev.org fonts.googleapis.com; media-src https: data:; font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; frame-src https: data:
Content-Length: 12
Connection: close
Content-Type: text/html; charset=UTF-8

78.47.82.133:80

http://www.sfml-dev.org/ip-provider.php

http

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

364 B
829 B
5
5

HTTP Request

GET http://www.sfml-dev.org/ip-provider.php

HTTP Response

200
80.82.69.52:8080

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

152 B
3

8.8.8.8:53

www.sfml-dev.org

dns

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

62 B
92 B
1
1

DNS Request

www.sfml-dev.org

DNS Response

78.47.82.133

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-88-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.