ouroboros | 33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3

Analysis

max time kernel
99s
max time network
42s
platform
windows7_x64
resource
win7v20210408
submitted
09-09-2021 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
Size

994KB
MD5

bfed6debcd8c3dbf8ea21655247ed3f0
SHA1

2b05bc9c9a14e3f9db8e758b2f5fa060857499bf
SHA256

33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3
SHA512

73a033937bc55f24a9089e493b3c8c3c6c058a77905ca1c09b73288ac5932328668d588add546a51779e36da6408c1aeab52af290a6bfae15391ac2d8faf9a28

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompressSplit.tiff	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Pictures\RepairGrant.tiff	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveRead.tiff	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\desktop.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	4	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tquery.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\mdmdsi.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64\BRM942CN.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\win32spl.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl01f.bin	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\httpapi.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\rpcrt4.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printer-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Ultimate-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\Dism\TransmogProvider.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrBidiIf.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL03.DLL	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnhp003.inf_loc	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igfcg500m.bin	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXLRES.DLL	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRCLRD06.DLL	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA810D6.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\wlancfg.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\avc.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_neutral_14cb440c800fe9fe\mdmvv.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\PRNHP002.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\FXSRESM.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netb57va.inf_loc	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\mdmbr006.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGE9E.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\networkexplorer.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\setupapi.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\ntprint.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7300T.XML	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\mapi32.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnrc00a.inf_loc	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\netathrx.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBBR283.DLL	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBDUP41.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1401E3.PPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\nvraid.inf_loc	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabletPC-OC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\eFE5b32e.sys	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\prnle004.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\DDOIProxy.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\WinSync.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnep00e.inf_loc	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\display.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\PRNEP003.CAT	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa820t.exp	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC150SP.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\SysWOW64\wsnmp32.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_313_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_429_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GSC7500.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFC615G.GPD	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\kyw7aut2.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\prnlx00a.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Anchorage	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boise.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.INF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07761_.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginResume.Dotx	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00543_.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0156537.WMF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.[[email protected]][QAOBN7DYS4KZHVX].Spade	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\napcrypt\09b65f9c3f78e6ef3e259af945e937b9\napcrypt.ni.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\tcpip.adml	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.mum	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.mum	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0008\PerfCounters.ini	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\3082\SetupResources.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate6.ico	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.mum	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\18e41c018ceff36c2512d12f570f0be7\MMCFxCommon.ni.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Cursors\larrow.cur	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Fonts\ARIALNI.TTF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\netbxnda.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\prnky007.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.RegularExpressions.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.NetTcp\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.NetTcp.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.MemoryMappedFiles.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\AppPatch\en-US\AcRes.dll.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Cursors\libeam.cur	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\b204998e0b878089f7fd625612a35dfa\PresentationFramework-SystemXmlLinq.ni.dll.aux	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.2486c0f5#\d3624bd9507a1d21def2a1c3d713ab5e\System.Web.DynamicData.ni.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Fonts\ega80866.fon	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.resx	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrcompression.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SBEServerPS.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\prnep00c.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\xcbdav.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Win32.Primitives.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XPath.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\prnrc00a.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\tpm.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Presentation.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.RuntimeUi.Intl.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\mdmbtmdm.inf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Basic-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.iTv.Hosting\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.iTv.Hosting.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.DSC.CoreConfProviders.Resources.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersistSqlState.sql	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Boot\PCAT\hu-HU\bootmgr.exe.mui	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Cursors\help_l.cur	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\ehome\ehtray.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Fonts\ebrima.ttf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Fonts\tahomabd.ttf	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\.NET CLR Data\_DataPerfCounters.h	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Media\Delta\Windows Logoff Sound.wav	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~pl-PL~7.1.7601.16492.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~zh-HK~7.1.7601.16492.cat	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\inf\mdmminij.PNF	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

NTFS ADS 54 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ盬"쀀절̐인̐ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀Ⱈ\|⯨\|ꨚ盬\ꞔ盬:쀀vvꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ盬"쀀Ⱈ\|⭀\|ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ盬"쀀Ⱈ\|⬨\|ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ盬"쀀Ⱈ\|⭘\|ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ盬"쀀Ⱈ\|⭰\|ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ盬"쀀절̐쟰̐ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\"쀀㟸̏㟸̏ꨚ盬\:쀀䫘u䫘uꨚ盬\:쀀䬘u䬘uꨚ盬\3쀀䭘u䭘uꨚ盬\3쀀䬸u䬸uꨚ盬\3쀀䭸u䭸uꨚ盬\3쀀䮘u䮘uꨚ盬\3쀀䮸u䮸uꨚ盬\3쀀䯘u䯘uꨚ盬\3쀀䯸u䯸uꨚ盬\3쀀䰘u䰘uꨚ盬\3쀀䰸u䰸uꨚ盬\3쀀䱘u䱘uꨚ盬\3쀀䱸u䱸uꨚ盬\3쀀xxꨚ盬\3쀀xxꨚ盬\3쀀xxꨚ盬\3쀀xxꨚ盬\3쀀xxꨚ盬\3쀀xxꨚ盬\耀ŐrN	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2455352368-1077083310-2879168483-1000\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ盬"쀀胈v缀vꨚ盬\ꞔ盬:쀀ssꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ盬"쀀절̐읈̐ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ盬"쀀胸v缀vꨚ盬\ꞔ盬:쀀̒̒ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀Ⱈ\|Ⰰ\|ꨚ盬\ꞔ盬:쀀vvꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\System Volume Information\34107922-98a6-11eb-a15f-ea91f6580701\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\"쀀⢰\|⢰\|ꨚ盬\:쀀貈w貈wꨚ盬\:쀀貨w貨wꨚ盬\3쀀质w质wꨚ盬\3쀀趨w趨wꨚ盬\3쀀赨w赨wꨚ盬\3쀀跈w跈wꨚ盬\3쀀씰̐씰̐ꨚ盬\3쀀앐̐앐̐ꨚ盬\3쀀앰̐앰̐ꨚ盬\3쀀얐̐얐̐ꨚ盬\3쀀얰̐얰̐ꨚ盬\3쀀에̐에̐ꨚ盬\3쀀연̐연̐ꨚ盬\3쀀옐̐옐̐ꨚ盬\3쀀옰̐옰̐ꨚ盬\3쀀왐̐왐̐ꨚ盬\3쀀򰌐왰̐ꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\System Volume Information\34107922-98a6-11eb-a15f-ea91f6580701\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\All Users\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ盬"쀀胈v缘vꨚ盬\ꞔ盬:쀀ssꨚ盬	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ꞔ盬"쀀\ꞔ盬:쀀	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2004	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	27
PID 684 wrote to memory of 2004	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	27
PID 684 wrote to memory of 2004	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	27
PID 684 wrote to memory of 2004	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	27
PID 2004 wrote to memory of 1416	2004	cmd.exe	29
PID 2004 wrote to memory of 1416	2004	cmd.exe	29
PID 2004 wrote to memory of 1416	2004	cmd.exe	29
PID 2004 wrote to memory of 1416	2004	cmd.exe	29
PID 1416 wrote to memory of 2044	1416	net.exe	30
PID 1416 wrote to memory of 2044	1416	net.exe	30
PID 1416 wrote to memory of 2044	1416	net.exe	30
PID 1416 wrote to memory of 2044	1416	net.exe	30
PID 684 wrote to memory of 1968	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	31
PID 684 wrote to memory of 1968	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	31
PID 684 wrote to memory of 1968	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	31
PID 684 wrote to memory of 1968	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	31
PID 1968 wrote to memory of 1888	1968	cmd.exe	33
PID 1968 wrote to memory of 1888	1968	cmd.exe	33
PID 1968 wrote to memory of 1888	1968	cmd.exe	33
PID 1968 wrote to memory of 1888	1968	cmd.exe	33
PID 1888 wrote to memory of 852	1888	net.exe	34
PID 1888 wrote to memory of 852	1888	net.exe	34
PID 1888 wrote to memory of 852	1888	net.exe	34
PID 1888 wrote to memory of 852	1888	net.exe	34
PID 684 wrote to memory of 1720	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	35
PID 684 wrote to memory of 1720	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	35
PID 684 wrote to memory of 1720	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	35
PID 684 wrote to memory of 1720	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	35
PID 1720 wrote to memory of 1788	1720	cmd.exe	37
PID 1720 wrote to memory of 1788	1720	cmd.exe	37
PID 1720 wrote to memory of 1788	1720	cmd.exe	37
PID 1720 wrote to memory of 1788	1720	cmd.exe	37
PID 1788 wrote to memory of 1820	1788	net.exe	38
PID 1788 wrote to memory of 1820	1788	net.exe	38
PID 1788 wrote to memory of 1820	1788	net.exe	38
PID 1788 wrote to memory of 1820	1788	net.exe	38
PID 684 wrote to memory of 1692	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	39
PID 684 wrote to memory of 1692	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	39
PID 684 wrote to memory of 1692	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	39
PID 684 wrote to memory of 1692	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	39
PID 1692 wrote to memory of 1308	1692	cmd.exe	41
PID 1692 wrote to memory of 1308	1692	cmd.exe	41
PID 1692 wrote to memory of 1308	1692	cmd.exe	41
PID 1692 wrote to memory of 1308	1692	cmd.exe	41
PID 1308 wrote to memory of 1224	1308	net.exe	42
PID 1308 wrote to memory of 1224	1308	net.exe	42
PID 1308 wrote to memory of 1224	1308	net.exe	42
PID 1308 wrote to memory of 1224	1308	net.exe	42
PID 684 wrote to memory of 1312	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	43
PID 684 wrote to memory of 1312	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	43
PID 684 wrote to memory of 1312	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	43
PID 684 wrote to memory of 1312	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	43
PID 1312 wrote to memory of 1404	1312	cmd.exe	45
PID 1312 wrote to memory of 1404	1312	cmd.exe	45
PID 1312 wrote to memory of 1404	1312	cmd.exe	45
PID 1312 wrote to memory of 1404	1312	cmd.exe	45
PID 1404 wrote to memory of 1460	1404	net.exe	46
PID 1404 wrote to memory of 1460	1404	net.exe	46
PID 1404 wrote to memory of 1460	1404	net.exe	46
PID 1404 wrote to memory of 1460	1404	net.exe	46
PID 684 wrote to memory of 844	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	47
PID 684 wrote to memory of 844	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	47
PID 684 wrote to memory of 844	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	47
PID 684 wrote to memory of 844	684	33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe	47

C:\Users\Admin\AppData\Local\Temp\33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe
"C:\Users\Admin\AppData\Local\Temp\33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:316
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:968
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-89-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download