xmrig | 15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6

Analysis

max time kernel
131s
max time network
225s
platform
windows7_x64
resource
win7-en-20211014
submitted
08-12-2021 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software.exe
Size

3.2MB
MD5

9bb9bef710583acc0b74b42e9c244209
SHA1

ac0cb5474c2bd21263c3758aaff6420f7380f5b6
SHA256

15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6
SHA512

aa630dec6a967b9bbbad8425ac8afee443f7e37dbf21fe761fd3a4a27f3b78efdd92b13fd14a3e8931045d803ec52f7b1276f6534bf6b07e8ab1a4e74340ae17

Score

10^/10

xmrig evasion miner ransomware spyware stealer

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-VB6702958413 OUR Email :wixawm@gmail.com

Emails

wixawm@gmail.com

Extracted

Path

C:\Users\Admin\Desktop\Decryption-Guide.HTA

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : KEY-SE-24r6t523 or RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID : MJ-VB6702958413 Our Email:wixawm@gmail.com

Emails

Email:wixawm@gmail.com

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 27 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	software.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File created	C:\Users\Admin\Links\desktop.ini	software.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39RGOTWW\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	software.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	software.exe
File created	C:\Users\Admin\Searches\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File created	C:\Users\Admin\Downloads\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	software.exe
File created	C:\Program Files\desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File opened for modification	C:\Users\Public\desktop.ini	software.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	software.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B30T6PBA\desktop.ini	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File created	C:\Users\Admin\Music\desktop.ini	software.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	software.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netxex64.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD357C.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\prnky008.PNF	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wusa.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\rnr20.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\hpoa1so.PNF	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\prnky306.inf	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\RMActivate_ssp_isv.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\IasMigPlugin.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fltMC.exe.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netevbda.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0003\_setup.dll	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\mdmhayes.inf	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\SiSG664.sys	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1431E3.PPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4200t.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smpsrd1.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNHW07A.DLL	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\iphlpsvc.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\prntvpt.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\regsvr32.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mmci.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netserv.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\auxiliarydisplaycpl.mfl	software.exe
File opened for modification	C:\Windows\SysWOW64\mlang.dat	software.exe
File opened for modification	C:\Windows\SysWOW64\dpmodemx.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGX8M.GPD	software.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\terminalservices-licenseserver-DL.man	software.exe
File opened for modification	C:\Windows\SysWOW64\appmgr.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx00v.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpbsnewm.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\umbus.inf	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sdiagnhost.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cmmon32.exe.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\amdsata.sys	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.dll-Help.xml	software.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NGWAA.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\net1kx64.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\hostname.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sppcomapi.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO6200T.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\ks.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\spp.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4340t.exp	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SAC20203.PPD	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wscsvc.dll.mui	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DisplaySwitch.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\poqexec.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pots.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\cpnotify_IBV64.ax	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\prnms001.PNF	software.exe
File opened for modification	C:\Windows\System32\catroot2\edb005DC.log	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\perfmon.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WmiPerfClass.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\volume.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\Amd64\CSN36J.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnrc006.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\hid.dll.mui	software.exe

Drops file in Program Files directory 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00513_.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00784_.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00098_.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF	software.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif	software.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS.HXS,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF	software.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF	software.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdrop.dll.mui	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	software.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.POC	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar,(MJ-VB6702958413)(wixawm@gmail.com).wixawm	software.exe

Drops file in Windows directory 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1b747760b52ad04a\getuname.dll.mui	software.exe
File opened for modification	C:\Windows\Fonts\vga865.fon	software.exe
File opened for modification	C:\Windows\inf\netip6.PNF	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\COM.adml	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.mum	software.exe
File opened for modification	C:\Windows\winsxs\amd64_iscsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0552ed24c9ed344\iscsi.inf_loc	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_907903f56635f91d\Microsoft.Build.Utilities.Resources.dll	software.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsUpdateDiagnostic.xml	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.mum	software.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_ja_b77a5c561934e089\System.Web.Entity.Resources.dll	software.exe
File opened for modification	C:\Windows\inf\netnb.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-shgloss.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_04939e52c90f6fb7\shgloss.h1s	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..rsist-rll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6c2563a6c988092\msdaprsr.dll.mui	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dwm-adm_31bf3856ad364e35_6.1.7600.16385_none_9fc006a1b57beb3a\DWM.admx	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\0a6fed4a3d60bba766a643e4bc2e5968\System.ComponentModel.DataAnnotations.ni.dll.aux	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxhv6.inf_31bf3856ad364e35_6.1.7600.16385_none_064a4eb4ec0af80f\VSTAZL6.SYS	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.js	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_daff6e1a92334278\iisrstas.exe.mui	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\e41fccd68a6543f2528f6f6118f5f7e2\CustomMarshalers.ni.dll	software.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\001F\aspnet_perf.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104\hvgasys.fon	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_6d6aee55bd035553\Microsoft.Build.Utilities.v3.5.resources.dll	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\de64901e4cd2074f5c70733ab5d7787a\Microsoft.Windows.Diagnosis.SDHost.ni.dll	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\img18.jpg	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winresume.efi	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Text.RegularExpressions.dll	software.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-GB\l2057.phn	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..iles-help.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e8e077ec9162525\Help_LinkTerm.H1K	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a\nshwfp.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\infocomm.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_c29b6c0480cc54b2\msprivs.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport_mask_left.png	software.exe
File opened for modification	C:\Windows\inf\mdmar1.PNF	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_42449c1669880ecc\certobj.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_48268639435a097a\fyi.cov	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-hhomeue.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fb61299949ba5537\hhomeue.h1s	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-sysinfo-l1-1-0.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Design.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets	software.exe
File opened for modification	C:\Windows\ehome\ehshell.exe	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\Microsoft.VisualBasic.Activities.CompilerUI.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8490c876cbbf3a\certcli.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..idmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a87b71a591626c1f\p2p-pnrp.mfl	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Security.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b7f67d67f2abb13e\oflc.rs.mui	software.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1055.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.css	software.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Balloon.wav	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Drawing.Resources.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters_v2.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmdsi.inf_31bf3856ad364e35_6.1.7600.16385_none_31d603eabdc39192\mdmdsi.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3be5dbdf02f1c126\mdmirmdm.inf_loc	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-storage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_63ad89d168b082fc\storage.h1s	software.exe
File opened for modification	C:\Windows\Fonts\8514oemt.fon	software.exe
File opened for modification	C:\Windows\inf\hcw72b64.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c523b554dc91a8e8\msdt.exe.mui	software.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.CPU.xml	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ponents-mdac-sqlxml_31bf3856ad364e35_6.1.7600.16385_none_75682ef78730fe19\sqlxmlx.rll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_join.help.txt	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photo-image-codec_31bf3856ad364e35_7.1.7601.16492_none_ee77c4d7e7879f9b\WMPhoto.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\SetupResources.dll	software.exe

NTFS ADS 3 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\My Music\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\My Pictures\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\My Videos\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

software.exe

pid	process
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

software.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1268 wrote to memory of 588	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 588	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 588	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 588	1268	software.exe	cmd.exe
PID 588 wrote to memory of 636	588	cmd.exe	net.exe
PID 588 wrote to memory of 636	588	cmd.exe	net.exe
PID 588 wrote to memory of 636	588	cmd.exe	net.exe
PID 588 wrote to memory of 636	588	cmd.exe	net.exe
PID 636 wrote to memory of 560	636	net.exe	net1.exe
PID 636 wrote to memory of 560	636	net.exe	net1.exe
PID 636 wrote to memory of 560	636	net.exe	net1.exe
PID 636 wrote to memory of 560	636	net.exe	net1.exe
PID 1268 wrote to memory of 568	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 568	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 568	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 568	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 364	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 364	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 364	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 364	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1052	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1052	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1052	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1052	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 976	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 976	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 976	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 976	1268	software.exe	cmd.exe
PID 976 wrote to memory of 1580	976	cmd.exe	net.exe
PID 976 wrote to memory of 1580	976	cmd.exe	net.exe
PID 976 wrote to memory of 1580	976	cmd.exe	net.exe
PID 976 wrote to memory of 1580	976	cmd.exe	net.exe
PID 1580 wrote to memory of 1804	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1804	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1804	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1804	1580	net.exe	net1.exe
PID 1268 wrote to memory of 1116	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1116	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1116	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1116	1268	software.exe	cmd.exe
PID 1116 wrote to memory of 1088	1116	cmd.exe	net.exe
PID 1116 wrote to memory of 1088	1116	cmd.exe	net.exe
PID 1116 wrote to memory of 1088	1116	cmd.exe	net.exe
PID 1116 wrote to memory of 1088	1116	cmd.exe	net.exe
PID 1088 wrote to memory of 2036	1088	net.exe	net1.exe
PID 1088 wrote to memory of 2036	1088	net.exe	net1.exe
PID 1088 wrote to memory of 2036	1088	net.exe	net1.exe
PID 1088 wrote to memory of 2036	1088	net.exe	net1.exe
PID 1268 wrote to memory of 1552	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1552	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1552	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1552	1268	software.exe	cmd.exe
PID 1552 wrote to memory of 1828	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1828	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1828	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1828	1552	cmd.exe	net.exe
PID 1828 wrote to memory of 1928	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1928	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1928	1828	net.exe	net1.exe
PID 1828 wrote to memory of 1928	1828	net.exe	net1.exe
PID 1268 wrote to memory of 1760	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1760	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1760	1268	software.exe	cmd.exe
PID 1268 wrote to memory of 1760	1268	software.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\software.exe
"C:\Users\Admin\AppData\Local\Temp\software.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1760

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:476

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:1488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:1692

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:1216

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:568

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
PID:1624

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Decryption-Guide.txt
1⤵
PID:1412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Decryption-Guide.HTA"
1⤵
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Decryption-Guide.txt
MD5
ec58d88f5be905c3a2ad080bbc9b3654

SHA1
9ab22988d5c0278b9142f8439f01723a3ef69adf

SHA256
6c8927f4f4bb5df869b51b28a7fe34434e3dda5dc19a44c0cbcca996b856f9fe

SHA512
f837d90133cba89e5d98d06e263a91aef849062f281c13aa695f4d13cc21381509f743768daebe5300c3333cb3701f688f92095310d3365e64d0b25458a8cf6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Decryption-Guide.HTA
MD5
875a5bc311a517ac8dfb6650a4fb3bf8

SHA1
b303f4b41837495d3825ed9deedcd33b639dbb95

SHA256
f75e01cc847e8ec9ed652bed393cc5ac34c4220ef1607c862048dd630e30499a

SHA512
0bec10bc0ad30215666c01656fb666a071525f902766257d9ccb95a4408140a75d27b61c11c6f32b7ec7abe935708ee2deb5495f34d27c7c165f3294f3f36350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Decryption-Guide.txt
MD5
ec58d88f5be905c3a2ad080bbc9b3654

SHA1
9ab22988d5c0278b9142f8439f01723a3ef69adf

SHA256
6c8927f4f4bb5df869b51b28a7fe34434e3dda5dc19a44c0cbcca996b856f9fe

SHA512
f837d90133cba89e5d98d06e263a91aef849062f281c13aa695f4d13cc21381509f743768daebe5300c3333cb3701f688f92095310d3365e64d0b25458a8cf6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\Decryption-Guide.HTA
MD5
875a5bc311a517ac8dfb6650a4fb3bf8

SHA1
b303f4b41837495d3825ed9deedcd33b639dbb95

SHA256
f75e01cc847e8ec9ed652bed393cc5ac34c4220ef1607c862048dd630e30499a

SHA512
0bec10bc0ad30215666c01656fb666a071525f902766257d9ccb95a4408140a75d27b61c11c6f32b7ec7abe935708ee2deb5495f34d27c7c165f3294f3f36350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\Decryption-Guide.txt
MD5
ec58d88f5be905c3a2ad080bbc9b3654

SHA1
9ab22988d5c0278b9142f8439f01723a3ef69adf

SHA256
6c8927f4f4bb5df869b51b28a7fe34434e3dda5dc19a44c0cbcca996b856f9fe

SHA512
f837d90133cba89e5d98d06e263a91aef849062f281c13aa695f4d13cc21381509f743768daebe5300c3333cb3701f688f92095310d3365e64d0b25458a8cf6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Decryption-Guide.HTA
MD5
875a5bc311a517ac8dfb6650a4fb3bf8

SHA1
b303f4b41837495d3825ed9deedcd33b639dbb95

SHA256
f75e01cc847e8ec9ed652bed393cc5ac34c4220ef1607c862048dd630e30499a

SHA512
0bec10bc0ad30215666c01656fb666a071525f902766257d9ccb95a4408140a75d27b61c11c6f32b7ec7abe935708ee2deb5495f34d27c7c165f3294f3f36350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Decryption-Guide.txt
MD5
ec58d88f5be905c3a2ad080bbc9b3654

SHA1
9ab22988d5c0278b9142f8439f01723a3ef69adf

SHA256
6c8927f4f4bb5df869b51b28a7fe34434e3dda5dc19a44c0cbcca996b856f9fe

SHA512
f837d90133cba89e5d98d06e263a91aef849062f281c13aa695f4d13cc21381509f743768daebe5300c3333cb3701f688f92095310d3365e64d0b25458a8cf6c

Download Submit
C:\Users\Admin\Desktop\Decryption-Guide.HTA
MD5
875a5bc311a517ac8dfb6650a4fb3bf8

SHA1
b303f4b41837495d3825ed9deedcd33b639dbb95

SHA256
f75e01cc847e8ec9ed652bed393cc5ac34c4220ef1607c862048dd630e30499a

SHA512
0bec10bc0ad30215666c01656fb666a071525f902766257d9ccb95a4408140a75d27b61c11c6f32b7ec7abe935708ee2deb5495f34d27c7c165f3294f3f36350

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
memory/364-59-0x0000000000000000-mapping.dmp

Download
memory/364-86-0x0000000000000000-mapping.dmp

Download
memory/432-87-0x0000000000000000-mapping.dmp

Download
memory/476-73-0x0000000000000000-mapping.dmp

Download
memory/548-83-0x0000000000000000-mapping.dmp

Download
memory/560-57-0x0000000000000000-mapping.dmp

Download
memory/568-58-0x0000000000000000-mapping.dmp

Download
memory/568-85-0x0000000000000000-mapping.dmp

Download
memory/588-55-0x0000000000000000-mapping.dmp

Download
memory/636-56-0x0000000000000000-mapping.dmp

Download
memory/768-81-0x0000000000000000-mapping.dmp

Download
memory/868-74-0x0000000000000000-mapping.dmp

Download
memory/976-61-0x0000000000000000-mapping.dmp

Download
memory/1052-60-0x0000000000000000-mapping.dmp

Download
memory/1088-65-0x0000000000000000-mapping.dmp

Download
memory/1116-64-0x0000000000000000-mapping.dmp

Download
memory/1216-82-0x0000000000000000-mapping.dmp

Download
memory/1412-89-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1488-77-0x0000000000000000-mapping.dmp

Download
memory/1552-67-0x0000000000000000-mapping.dmp

Download
memory/1580-62-0x0000000000000000-mapping.dmp

Download
memory/1616-76-0x0000000000000000-mapping.dmp

Download
memory/1628-80-0x0000000000000000-mapping.dmp

Download
memory/1692-79-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x0000000000000000-mapping.dmp

Download
memory/1828-68-0x0000000000000000-mapping.dmp

Download
memory/1928-69-0x0000000000000000-mapping.dmp

Download
memory/1960-84-0x0000000000000000-mapping.dmp

Download
memory/1968-78-0x0000000000000000-mapping.dmp

Download
memory/1980-71-0x0000000000000000-mapping.dmp

Download
memory/1980-72-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/2036-66-0x0000000000000000-mapping.dmp

Download