lockfile | cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915

Analysis

max time kernel
136s
max time network
21s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-09-2021 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
Size

250KB
MD5

f08e24f57501f2c4e009b6a7d9249e99
SHA1

cb590e4eaab33bba84082f3acbe01f35e1ce710f
SHA256

cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915
SHA512

6f4305c80a49d234ffe423c08512c1685208bcc557d2e18cdff30757ad7b77c51d73046a44cb88bfe6fc31549bbd393a7bd100d1ece26ac3f56cb0e41c4cdb75

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\LOCKFILE-README.hta

Family

lockfile

Ransom Note

LOCK FILE Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: contact us qTox ID: B2F873769EB6B508EBC2103DDEB7366CEFB7B09AB8314DAD0C4346169072686690489B47EAEB https://tox.chat/download.html Email: [email protected] Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser! Follow the instructions on this page Do not try to recover files yourself. this process can damage your data and recovery will become impossible Do not rename encrypted files. Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Thanks to the warning wallpaper provided by lockbit, it's easy to use

Emails

[email protected]

URLs

https://tox.chat/download.html

http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\fr-FR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\UMDF\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\etc\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\drivers\ja-JP\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EnterRead.tiff => C:\Users\Admin\Pictures\enterread.tiff.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Users\Admin\Pictures\initializestep.tiff	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\ReceiveSwitch.raw => C:\Users\Admin\Pictures\receiveswitch.raw.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Users\Admin\Pictures\tracerestore.tiff	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\RestoreProtect.raw => C:\Users\Admin\Pictures\restoreprotect.raw.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\SyncExpand.tif => C:\Users\Admin\Pictures\syncexpand.tif.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Users\Admin\Pictures\enterread.tiff	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\InitializeStep.tiff => C:\Users\Admin\Pictures\initializestep.tiff.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\LimitCompare.tif => C:\Users\Admin\Pictures\limitcompare.tif.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\MountRedo.crw => C:\Users\Admin\Pictures\mountredo.crw.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\MoveUnpublish.crw => C:\Users\Admin\Pictures\moveunpublish.crw.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\RestartLimit.tif => C:\Users\Admin\Pictures\restartlimit.tif.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File renamed	C:\Users\Admin\Pictures\TraceRestore.tiff => C:\Users\Admin\Pictures\tracerestore.tiff.lockfile	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Deletes itself 1 IoCs

pid	Process
632	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\cs-CZ\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\fr\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\UltimateN\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\oobe\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\IME\IMESC5\applets\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\Setup\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\en-US\Licenses\eval\Enterprise\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\fr-FR\Licenses\OEM\StarterE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Starter\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\DriverStore\FileRepository\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdm3com.inf_amd64_neutral_11abcf129a29fb9f\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\ProfessionalE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\en-US\Licenses\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\ja-JP\Licenses\eval\HomePremiumE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\NetworkList\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\fr-FR\Licenses\_Default\Professional\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\ja-JP\Licenses\OEM\UltimateE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\IME\shared\res\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr009.inf_amd64_neutral_2d7b3edfda95df40\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\migration\en-US\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\spp\tokens\channels\OCUR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\zh-TW\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\UltimateE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\wbem\xml\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\pt-BR\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\de-DE\Licenses\_Default\HomePremiumE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_neutral_061c61abd3904560\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\System32\IME\IMEJP10\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbylocale_cs.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\adobeupdate.cer	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\formsblankpage.html	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\formsmacrotemplate.html	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbylocale_es.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_cn.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\an04369_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0200611.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so00466_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\groove_k_col.hxk	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0228959.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\so01560_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\bd18209_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\eadocumentapproval_init.xsn	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_cn.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\anchorage	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\formsformtemplate.html	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\dd00256_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0105328.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107426.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\j0205582.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\traditional.dotx	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\webemail.poc	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\nome	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\dubai	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\orielmergeletter.dotx	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\text.zip	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\aumproduct.aup	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107288.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\an01216_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107502.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\na01158_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\adjacencyresume.dotx	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_cn.jar	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\bs00184_.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\status report.fdt	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\adjacencyreport.dotx	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\j0107182.wmf	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\inf\ASP.NET_4.0.30319\0014\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e474256cdaf3932d\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-games.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3256fa7b921ed5dd\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..nese_nec98_usb_only_31bf3856ad364e35_6.1.7600.16385_none_37368f7ad397beb3\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_wcf-m_sm_evt_dll_vista_31bf3856ad364e35_6.1.7600.16385_none_d45f228bb212a73a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\msil_microsoft.web.management.aspnet_31bf3856ad364e35_6.1.7600.16385_none_eb197d33b43d6907\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b19959c5a6c00613\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..e-upgrade.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bb9f919c0b96bdc1\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_et-ee_51a7fb335c52ac1d\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_wpf-uiautomationprovider_31bf3856ad364e35_6.1.7600.16385_none_04732778ec457888\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.ServiceProce#\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Pipes\v4.0_4.0.0.0__b03f5f7f11d50a3a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_hidbth.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cb33db237fe7b3d2\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ompat-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b9f38c8f575e0175\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-batang_31bf3856ad364e35_6.1.7600.16385_none_13de7dc07ffbe591\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-auxdisp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb99a9bd511994f2\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..mc-snapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fa7f2f10862ebe4a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ssionstaticbinaries_31bf3856ad364e35_6.1.7601.17514_none_b5e105b942748c54\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_02ce9af6fe2baaa4\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ingengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23a2fad8c98ef48b\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_prngt004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3b245ba30f11cee7\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_22d533776b0da1a5\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_fdc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_69c2fe3ad41d613d\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_97a095f8d7c35f2a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1899cfb8311e6a05\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Speech.resources\3.0.0.0_fr_31bf3856ad364e35\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IO.Log\85b543fd18ce71c8bc95c49abf8ceb66\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-domain.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ebb64ba3932cc74e\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ieinstal.resources_31bf3856ad364e35_8.0.7600.16385_de-de_23baed1bacbf6e7b\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-diag_31bf3856ad364e35_6.1.7600.16385_none_0f7601a1f6f55d23\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..c-standardfx_plugin_31bf3856ad364e35_6.1.7600.16385_none_48b861ab00668513\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-terminalmanager_31bf3856ad364e35_6.1.7601.17514_none_524e7eb2b99a5a7c\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_ae2511475093798f\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_es-es_846d1fa7b7cf0e98\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_638dc4a1c532cd2a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-win32-provider_31bf3856ad364e35_6.1.7600.16385_none_22bff75d90022b80\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-xpsifilter_31bf3856ad364e35_6.1.7600.16385_none_c8ca252034ea6665\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\msil_jsc.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_74d728ce68981283\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\msil_system.io.log_b03f5f7f11d50a3a_6.1.7600.16385_none_59845d50dc8f5a77\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Idena7b556ff#\0723ea64eb28deb30a0df931a69feba6\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasmontr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aaa71a4f230c1c48\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whhelper_31bf3856ad364e35_6.1.7600.16385_none_cd45cdb157033fa0\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_236dad2f9c2a6012\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_netk57a.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d23369cf2577d24a\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_c118196b69901962\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..extension.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3e4ac7bee184b648\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\inf\ASP.NET\000A\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bootres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6c8aa26d2d987bf0\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9241b147178dc55\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\msil_system.servicemodel.resources_b77a5c561934e089_6.1.7601.17514_de-de_f93a40199855c5e9\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\inf\UGTHRSVC\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\msil_system.xml.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_79478b2cfa4676be\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_aa305720fed2017b\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efsadu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1d10eeafaec88d7e\JZCKHXIN-LOCKFILE-README.hta	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe

Kills process with WMI 9 IoCs

evasion

pid	Process
1140	WMIC.exe
708	WMIC.exe
1076	WMIC.exe
1156	WMIC.exe
1004	WMIC.exe
1648	WMIC.exe
1460	WMIC.exe
1668	WMIC.exe
1724	WMIC.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2024	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1572	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	28
PID 1464 wrote to memory of 1572	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	28
PID 1464 wrote to memory of 1572	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	28
PID 1572 wrote to memory of 1648	1572	cmd.exe	29
PID 1572 wrote to memory of 1648	1572	cmd.exe	29
PID 1572 wrote to memory of 1648	1572	cmd.exe	29
PID 1464 wrote to memory of 976	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	31
PID 1464 wrote to memory of 976	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	31
PID 1464 wrote to memory of 976	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	31
PID 976 wrote to memory of 1140	976	cmd.exe	32
PID 976 wrote to memory of 1140	976	cmd.exe	32
PID 976 wrote to memory of 1140	976	cmd.exe	32
PID 1464 wrote to memory of 464	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	33
PID 1464 wrote to memory of 464	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	33
PID 1464 wrote to memory of 464	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	33
PID 464 wrote to memory of 708	464	cmd.exe	34
PID 464 wrote to memory of 708	464	cmd.exe	34
PID 464 wrote to memory of 708	464	cmd.exe	34
PID 1464 wrote to memory of 940	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	35
PID 1464 wrote to memory of 940	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	35
PID 1464 wrote to memory of 940	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	35
PID 940 wrote to memory of 1724	940	cmd.exe	36
PID 940 wrote to memory of 1724	940	cmd.exe	36
PID 940 wrote to memory of 1724	940	cmd.exe	36
PID 1464 wrote to memory of 1896	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	37
PID 1464 wrote to memory of 1896	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	37
PID 1464 wrote to memory of 1896	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	37
PID 1896 wrote to memory of 1460	1896	cmd.exe	38
PID 1896 wrote to memory of 1460	1896	cmd.exe	38
PID 1896 wrote to memory of 1460	1896	cmd.exe	38
PID 1464 wrote to memory of 1188	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	39
PID 1464 wrote to memory of 1188	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	39
PID 1464 wrote to memory of 1188	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	39
PID 1188 wrote to memory of 1076	1188	cmd.exe	40
PID 1188 wrote to memory of 1076	1188	cmd.exe	40
PID 1188 wrote to memory of 1076	1188	cmd.exe	40
PID 1464 wrote to memory of 1152	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	41
PID 1464 wrote to memory of 1152	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	41
PID 1464 wrote to memory of 1152	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	41
PID 1152 wrote to memory of 1156	1152	cmd.exe	42
PID 1152 wrote to memory of 1156	1152	cmd.exe	42
PID 1152 wrote to memory of 1156	1152	cmd.exe	42
PID 1464 wrote to memory of 1884	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	43
PID 1464 wrote to memory of 1884	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	43
PID 1464 wrote to memory of 1884	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	43
PID 1884 wrote to memory of 1668	1884	cmd.exe	44
PID 1884 wrote to memory of 1668	1884	cmd.exe	44
PID 1884 wrote to memory of 1668	1884	cmd.exe	44
PID 1464 wrote to memory of 1480	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	45
PID 1464 wrote to memory of 1480	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	45
PID 1464 wrote to memory of 1480	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	45
PID 1480 wrote to memory of 1004	1480	cmd.exe	46
PID 1480 wrote to memory of 1004	1480	cmd.exe	46
PID 1480 wrote to memory of 1004	1480	cmd.exe	46
PID 1464 wrote to memory of 1724	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	51
PID 1464 wrote to memory of 1724	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	51
PID 1464 wrote to memory of 1724	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	51
PID 1464 wrote to memory of 872	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	52
PID 1464 wrote to memory of 872	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	52
PID 1464 wrote to memory of 872	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	52
PID 1464 wrote to memory of 1312	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	53
PID 1464 wrote to memory of 1312	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	53
PID 1464 wrote to memory of 1312	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	53
PID 1464 wrote to memory of 1836	1464	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe	54

C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe
"C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmwp%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%virtualbox%'" call terminate
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vbox%'" call terminate
    3⤵
    - Kills process with WMI
    PID:708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%sqlservr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%mysqld%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%omtsreco%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%oracle%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%tnslsnr%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where "name like '%vmware%'" call terminate
    3⤵
    - Kills process with WMI
    PID:1004
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1724
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:872
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1312
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1836
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:2012
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1128
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:432
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1076
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1052
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\LOCKFILE-README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Modifies Internet Explorer settings
  PID:1816
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 && del "C:\Users\Admin\AppData\Local\Temp\cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915.exe" && exit
  2⤵
  - Deletes itself
  PID:632
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-81-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download