ouroboros | 26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa

Analysis

max time kernel
105s
max time network
77s
platform
windows7_x64
resource
win7v20210408
submitted
02-09-2021 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
Size

997KB
MD5

ba454585b9f42c7254c931c192556e08
SHA1

0b530303634283a43d53abd9190106869f57ba5a
SHA256

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa
SHA512

2cb918eab6776c7cfea031cbb48cc4e33e068489a37f39ba1e246f32fef7a35c3511293b399c81b5b8056bca50d725554866584460f04efe0d65c1d1c625bc4b

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertUninstall.tiff	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops startup file 1 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 4 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	4	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 1 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Program Files directory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\msoeres.dll.mui	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\DebugExit.emz.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Person.css	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\uk.pak.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange.css	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14528_.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jre7\bin\eula.dll.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\jvm.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18252_.WMF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7Data0011.DLL.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.[[email protected]][ID-5UEPXF2Q1DN3WKY].Void	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Drops file in Windows directory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Windows\TSSysprep.log	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\pcamain.sdb	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\mcstoredb.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\BDATunePIA.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\msdfmap.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\setuperr.log	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\twunk_32.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\WindowsUpdate.log	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfd.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Playback\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Playback.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\addins\FXSEXT.ecf	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\sysmain.sdb	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\pubpol42.dat	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\NAPCRYPT.DLL	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\explorer.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\twain_32.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\twunk_16.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\acspecfc.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\en-US\AcRes.dll.mui	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.InteropAdapter.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.0.Microsoft.Interop.Security.AzRoles.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\HelpPane.exe	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\Professional.xml	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\Starter.xml	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppCompat\Programs\RecentFileCache.bcf	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\Microsoft.Ink.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.6.0.Microsoft.Ink.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.Interop.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\AcXtrnal.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\prcp.nlp	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.0.Microsoft.Interop.Security.AzRoles.dll	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

NTFS ADS 22 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\"쀀𘂉𘂉ꨚ瓠\:쀀ꨚ瓠\:쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\3쀀ꨚ瓠\΂	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\"쀀ᤸᤸꨚ瓠\:쀀⁐⁐ꨚ瓠\:쀀⁰⁰ꨚ瓠\3쀀ₐₐꨚ瓠\3쀀₰₰ꨚ瓠\3쀀⃐⃐ꨚ瓠\3쀀⃰⃰ꨚ瓠\3쀀ℐℐꨚ瓠\3쀀ℰℰꨚ瓠\3쀀⅐⅐ꨚ瓠\3쀀ⅰⅰꨚ瓠\3쀀←←ꨚ瓠\3쀀↰↰ꨚ瓠\3쀀⇐⇐ꨚ瓠\3쀀⇰⇰ꨚ瓠\3쀀∐	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\"쀀기기ꨚ瓠\:쀀╸╸ꨚ瓠\:쀀╘╘ꨚ瓠\3쀀▘▘ꨚ瓠\3쀀▸▸ꨚ瓠\3쀀◘◘ꨚ瓠\3쀀◸◸ꨚ瓠\3쀀☘☘ꨚ瓠\3쀀☸☸ꨚ瓠\3쀀♘♘ꨚ瓠\3쀀♸♸ꨚ瓠\3쀀⚘⚘ꨚ瓠\3쀀⚸⚸ꨚ瓠\3쀀⛘⛘ꨚ瓠\3쀀⛸⛸ꨚ瓠\Ő✘Őꨚ瓠ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\"쀀깈깈ꨚ瓠\:쀀╸╸ꨚ瓠\:쀀╘╘ꨚ瓠\3쀀▘▘ꨚ瓠\3쀀▸▸ꨚ瓠\3쀀◘◘ꨚ瓠\3쀀◸◸ꨚ瓠\3쀀☘☘ꨚ瓠\3쀀☸☸ꨚ瓠\3쀀♘♘ꨚ瓠\3쀀♸♸ꨚ瓠\3쀀⚘⚘ꨚ瓠\3쀀⚸⚸ꨚ瓠\3쀀⛘⛘ꨚ瓠\3쀀⛸⛸ꨚ瓠\3쀀✘\3쀀쮈쮈ꨚ瓠\3쀀쮨쮨ꨚ瓠\3쀀쯈쯈ꨚ瓠\3쀀쯨Őꨚ瓠ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\"쀀눈눈ꨚ瓠\:쀀򸂍򸂍ꨚ瓠\:쀀󀂍󀂍ꨚ瓠\3쀀󈂍󈂍ꨚ瓠\3쀀󐂍󐂍ꨚ瓠\3쀀󘂍󘂍ꨚ瓠\3쀀󠂍󠂍ꨚ瓠\3쀀󨂍󨂍ꨚ瓠\3쀀󰂍Őꨚ瓠ż	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\System Volume Information\34107922-98a6-11eb-a15f-ea91f6580701\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\"쀀⧸⧸ꨚ瓠\:쀀⃐⃐ꨚ瓠\:쀀⃰⃰ꨚ瓠\3쀀ℐℐꨚ瓠\3쀀ℰℰꨚ瓠\3쀀⅐⅐ꨚ瓠\3쀀ⅰⅰꨚ瓠\3쀀←←ꨚ瓠\3쀀↰↰ꨚ瓠\3쀀⇐\3쀀⇰⇰ꨚ瓠\3쀀∐∐ꨚ瓠\3쀀旨旨ꨚ瓠\3쀀昈昈ꨚ瓠\ƹ	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ瓠"쀀ઘনꨚ瓠\ꞔ瓠:쀀ꨚ瓠	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ瓠"쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\"쀀눠눠ꨚ瓠\:쀀򸂍򸂍ꨚ瓠\:쀀󀂍󀂍ꨚ瓠\3쀀󈂍󈂍ꨚ瓠\3쀀󐂍󐂍ꨚ瓠\3쀀󘂍󘂍ꨚ瓠\3쀀󠂍󠂍ꨚ瓠\3쀀󨂍󨂍ꨚ瓠\3쀀󰂍󰂍ꨚ瓠\3쀀󸂍󸂍ꨚ瓠\3쀀􀂍􀂍ꨚ瓠\Ő􈂍żꨚ瓠	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\ProgramData\Documents\Updater6\"쀀눸눸ꨚ瓠\:쀀򸂍򸂍ꨚ瓠\:쀀󀂍󀂍ꨚ瓠\3쀀󈂍󈂍ꨚ瓠\3쀀󐂍󐂍ꨚ瓠\3쀀󘂍󘂍ꨚ瓠\3쀀󠂍󠂍ꨚ瓠\3쀀󨂍󨂍ꨚ瓠\3쀀󰂍󰂍ꨚ瓠\3쀀󸂍󸂍ꨚ瓠\3쀀􀂍􀂍ꨚ瓠\3쀀􈂍􈂍ꨚ瓠\3쀀ᑐᑐꨚ瓠\3쀀ᑰᑰꨚ瓠\3쀀ᒐᒐꨚ瓠\3쀀ᒰᒰꨚ瓠\3쀀ᓐ㠀ꨚ瓠㡘	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ瓠"쀀\ꞔ瓠:쀀\ꞔ瓠:쀀	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

pid	process
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 528 wrote to memory of 1720	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1720	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1720	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1720	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 1720 wrote to memory of 1544	1720	cmd.exe	net.exe
PID 1720 wrote to memory of 1544	1720	cmd.exe	net.exe
PID 1720 wrote to memory of 1544	1720	cmd.exe	net.exe
PID 1720 wrote to memory of 1544	1720	cmd.exe	net.exe
PID 1544 wrote to memory of 1244	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1244	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1244	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1244	1544	net.exe	net1.exe
PID 528 wrote to memory of 1232	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1232	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1232	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1232	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 1232 wrote to memory of 1600	1232	cmd.exe	net.exe
PID 1232 wrote to memory of 1600	1232	cmd.exe	net.exe
PID 1232 wrote to memory of 1600	1232	cmd.exe	net.exe
PID 1232 wrote to memory of 1600	1232	cmd.exe	net.exe
PID 1600 wrote to memory of 1700	1600	net.exe	net1.exe
PID 1600 wrote to memory of 1700	1600	net.exe	net1.exe
PID 1600 wrote to memory of 1700	1600	net.exe	net1.exe
PID 1600 wrote to memory of 1700	1600	net.exe	net1.exe
PID 528 wrote to memory of 1140	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1140	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1140	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1140	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 1140 wrote to memory of 340	1140	cmd.exe	net.exe
PID 1140 wrote to memory of 340	1140	cmd.exe	net.exe
PID 1140 wrote to memory of 340	1140	cmd.exe	net.exe
PID 1140 wrote to memory of 340	1140	cmd.exe	net.exe
PID 340 wrote to memory of 1756	340	net.exe	net1.exe
PID 340 wrote to memory of 1756	340	net.exe	net1.exe
PID 340 wrote to memory of 1756	340	net.exe	net1.exe
PID 340 wrote to memory of 1756	340	net.exe	net1.exe
PID 528 wrote to memory of 936	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 936	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 936	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 936	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 936 wrote to memory of 1376	936	cmd.exe	net.exe
PID 936 wrote to memory of 1376	936	cmd.exe	net.exe
PID 936 wrote to memory of 1376	936	cmd.exe	net.exe
PID 936 wrote to memory of 1376	936	cmd.exe	net.exe
PID 1376 wrote to memory of 1160	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1160	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1160	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1160	1376	net.exe	net1.exe
PID 528 wrote to memory of 1596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 1596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 1596 wrote to memory of 2028	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 2028	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 2028	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 2028	1596	cmd.exe	net.exe
PID 2028 wrote to memory of 1724	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1724	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1724	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1724	2028	net.exe	net1.exe
PID 528 wrote to memory of 596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe
PID 528 wrote to memory of 596	528	26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\26690dae115f47a1e0167750209a30cc68f51c5090e3b908105c93967e5156fa_unpacked.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:864
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:968
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:944
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-66-0x0000000000000000-mapping.dmp

Download
memory/596-74-0x0000000000000000-mapping.dmp

Download
memory/628-90-0x0000000000000000-mapping.dmp

Download
memory/680-82-0x0000000000000000-mapping.dmp

Download
memory/864-77-0x0000000000000000-mapping.dmp

Download
memory/936-68-0x0000000000000000-mapping.dmp

Download
memory/944-83-0x0000000000000000-mapping.dmp

Download
memory/968-80-0x0000000000000000-mapping.dmp

Download
memory/1140-65-0x0000000000000000-mapping.dmp

Download
memory/1160-70-0x0000000000000000-mapping.dmp

Download
memory/1232-62-0x0000000000000000-mapping.dmp

Download
memory/1244-61-0x0000000000000000-mapping.dmp

Download
memory/1288-87-0x0000000000000000-mapping.dmp

Download
memory/1288-88-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1376-69-0x0000000000000000-mapping.dmp

Download
memory/1396-78-0x0000000000000000-mapping.dmp

Download
memory/1408-86-0x0000000000000000-mapping.dmp

Download
memory/1492-81-0x0000000000000000-mapping.dmp

Download
memory/1544-60-0x0000000000000000-mapping.dmp

Download
memory/1580-75-0x0000000000000000-mapping.dmp

Download
memory/1596-71-0x0000000000000000-mapping.dmp

Download
memory/1600-63-0x0000000000000000-mapping.dmp

Download
memory/1700-64-0x0000000000000000-mapping.dmp

Download
memory/1716-89-0x0000000000000000-mapping.dmp

Download
memory/1720-59-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1744-85-0x0000000000000000-mapping.dmp

Download
memory/1756-67-0x0000000000000000-mapping.dmp

Download
memory/1912-76-0x0000000000000000-mapping.dmp

Download
memory/2012-79-0x0000000000000000-mapping.dmp

Download
memory/2016-84-0x0000000000000000-mapping.dmp

Download
memory/2028-72-0x0000000000000000-mapping.dmp

Download