xmrig | 15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6

Analysis

max time kernel
131s
max time network
225s
platform
windows7_x64
resource
win7-en-20211014
submitted
08/12/2021, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software.exe
Size

3.2MB
MD5

9bb9bef710583acc0b74b42e9c244209
SHA1

ac0cb5474c2bd21263c3758aaff6420f7380f5b6
SHA256

15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6
SHA512

aa630dec6a967b9bbbad8425ac8afee443f7e37dbf21fe761fd3a4a27f3b78efdd92b13fd14a3e8931045d803ec52f7b1276f6534bf6b07e8ab1a4e74340ae17

Score

10^/10

xmrig evasion miner ransomware spyware stealer

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-VB6702958413 OUR Email :[email protected]

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\Decryption-Guide.HTA

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : KEY-SE-24r6t523 or RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID : MJ-VB6702958413 Our Email:[email protected]

Emails

Email:[email protected]

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	software.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File created	C:\Users\Admin\Links\desktop.ini	software.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39RGOTWW\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	software.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	software.exe
File created	C:\Users\Admin\Searches\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File created	C:\Users\Admin\Downloads\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	software.exe
File created	C:\Program Files\desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File opened for modification	C:\Users\Public\desktop.ini	software.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	software.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B30T6PBA\desktop.ini	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File created	C:\Users\Admin\Music\desktop.ini	software.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	software.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netxex64.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD357C.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\prnky008.PNF	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wusa.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\rnr20.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\hpoa1so.PNF	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\prnky306.inf	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\RMActivate_ssp_isv.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\IasMigPlugin.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fltMC.exe.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netevbda.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0003\_setup.dll	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\mdmhayes.inf	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\SiSG664.sys	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1431E3.PPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4200t.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smpsrd1.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNHW07A.DLL	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\iphlpsvc.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\prntvpt.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\regsvr32.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mmci.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netserv.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\auxiliarydisplaycpl.mfl	software.exe
File opened for modification	C:\Windows\SysWOW64\mlang.dat	software.exe
File opened for modification	C:\Windows\SysWOW64\dpmodemx.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGX8M.GPD	software.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\terminalservices-licenseserver-DL.man	software.exe
File opened for modification	C:\Windows\SysWOW64\appmgr.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx00v.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpbsnewm.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\umbus.inf	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sdiagnhost.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cmmon32.exe.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\amdsata.sys	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.dll-Help.xml	software.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NGWAA.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\net1kx64.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\hostname.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sppcomapi.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO6200T.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\ks.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\spp.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4340t.exp	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SAC20203.PPD	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wscsvc.dll.mui	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DisplaySwitch.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\poqexec.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pots.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\cpnotify_IBV64.ax	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\prnms001.PNF	software.exe
File opened for modification	C:\Windows\System32\catroot2\edb005DC.log	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\perfmon.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\WmiPerfClass.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\volume.inf_loc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\Amd64\CSN36J.GPD	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnrc006.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\hid.dll.mui	software.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00513_.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00784_.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00098_.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF	software.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif	software.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS.HXS,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF	software.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF	software.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdrop.dll.mui	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	software.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.POC	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5,(MJ-VB6702958413)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar,(MJ-VB6702958413)([email protected]).wixawm	software.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1b747760b52ad04a\getuname.dll.mui	software.exe
File opened for modification	C:\Windows\Fonts\vga865.fon	software.exe
File opened for modification	C:\Windows\inf\netip6.PNF	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\COM.adml	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.mum	software.exe
File opened for modification	C:\Windows\winsxs\amd64_iscsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0552ed24c9ed344\iscsi.inf_loc	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_907903f56635f91d\Microsoft.Build.Utilities.Resources.dll	software.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsUpdateDiagnostic.xml	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.mum	software.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_ja_b77a5c561934e089\System.Web.Entity.Resources.dll	software.exe
File opened for modification	C:\Windows\inf\netnb.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-shgloss.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_04939e52c90f6fb7\shgloss.h1s	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..rsist-rll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6c2563a6c988092\msdaprsr.dll.mui	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll	software.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dwm-adm_31bf3856ad364e35_6.1.7600.16385_none_9fc006a1b57beb3a\DWM.admx	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\0a6fed4a3d60bba766a643e4bc2e5968\System.ComponentModel.DataAnnotations.ni.dll.aux	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxhv6.inf_31bf3856ad364e35_6.1.7600.16385_none_064a4eb4ec0af80f\VSTAZL6.SYS	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.js	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_daff6e1a92334278\iisrstas.exe.mui	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\e41fccd68a6543f2528f6f6118f5f7e2\CustomMarshalers.ni.dll	software.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\001F\aspnet_perf.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104\hvgasys.fon	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_6d6aee55bd035553\Microsoft.Build.Utilities.v3.5.resources.dll	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\de64901e4cd2074f5c70733ab5d7787a\Microsoft.Windows.Diagnosis.SDHost.ni.dll	software.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\img18.jpg	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winresume.efi	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Text.RegularExpressions.dll	software.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-GB\l2057.phn	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..iles-help.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e8e077ec9162525\Help_LinkTerm.H1K	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a\nshwfp.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\infocomm.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_c29b6c0480cc54b2\msprivs.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport_mask_left.png	software.exe
File opened for modification	C:\Windows\inf\mdmar1.PNF	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_42449c1669880ecc\certobj.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_48268639435a097a\fyi.cov	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-hhomeue.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fb61299949ba5537\hhomeue.h1s	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-sysinfo-l1-1-0.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Design.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets	software.exe
File opened for modification	C:\Windows\ehome\ehshell.exe	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\Microsoft.VisualBasic.Activities.CompilerUI.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8490c876cbbf3a\certcli.dll.mui	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..idmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a87b71a591626c1f\p2p-pnrp.mfl	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Security.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b7f67d67f2abb13e\oflc.rs.mui	software.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1055.dll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.css	software.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Balloon.wav	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Drawing.Resources.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters_v2.ini	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmdsi.inf_31bf3856ad364e35_6.1.7600.16385_none_31d603eabdc39192\mdmdsi.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3be5dbdf02f1c126\mdmirmdm.inf_loc	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-storage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_63ad89d168b082fc\storage.h1s	software.exe
File opened for modification	C:\Windows\Fonts\8514oemt.fon	software.exe
File opened for modification	C:\Windows\inf\hcw72b64.inf	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c523b554dc91a8e8\msdt.exe.mui	software.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.CPU.xml	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ponents-mdac-sqlxml_31bf3856ad364e35_6.1.7600.16385_none_75682ef78730fe19\sqlxmlx.rll	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_join.help.txt	software.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photo-image-codec_31bf3856ad364e35_7.1.7601.16492_none_ee77c4d7e7879f9b\WMPhoto.dll	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\SetupResources.dll	software.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\My Music\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\My Pictures\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\My Videos\ꡀ瞟ʦ諸ØC:\Users\Public\Documents\desktop.ini	software.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe
1268	software.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 588	1268	software.exe	29
PID 1268 wrote to memory of 588	1268	software.exe	29
PID 1268 wrote to memory of 588	1268	software.exe	29
PID 1268 wrote to memory of 588	1268	software.exe	29
PID 588 wrote to memory of 636	588	cmd.exe	31
PID 588 wrote to memory of 636	588	cmd.exe	31
PID 588 wrote to memory of 636	588	cmd.exe	31
PID 588 wrote to memory of 636	588	cmd.exe	31
PID 636 wrote to memory of 560	636	net.exe	32
PID 636 wrote to memory of 560	636	net.exe	32
PID 636 wrote to memory of 560	636	net.exe	32
PID 636 wrote to memory of 560	636	net.exe	32
PID 1268 wrote to memory of 568	1268	software.exe	34
PID 1268 wrote to memory of 568	1268	software.exe	34
PID 1268 wrote to memory of 568	1268	software.exe	34
PID 1268 wrote to memory of 568	1268	software.exe	34
PID 1268 wrote to memory of 364	1268	software.exe	35
PID 1268 wrote to memory of 364	1268	software.exe	35
PID 1268 wrote to memory of 364	1268	software.exe	35
PID 1268 wrote to memory of 364	1268	software.exe	35
PID 1268 wrote to memory of 1052	1268	software.exe	37
PID 1268 wrote to memory of 1052	1268	software.exe	37
PID 1268 wrote to memory of 1052	1268	software.exe	37
PID 1268 wrote to memory of 1052	1268	software.exe	37
PID 1268 wrote to memory of 976	1268	software.exe	39
PID 1268 wrote to memory of 976	1268	software.exe	39
PID 1268 wrote to memory of 976	1268	software.exe	39
PID 1268 wrote to memory of 976	1268	software.exe	39
PID 976 wrote to memory of 1580	976	cmd.exe	41
PID 976 wrote to memory of 1580	976	cmd.exe	41
PID 976 wrote to memory of 1580	976	cmd.exe	41
PID 976 wrote to memory of 1580	976	cmd.exe	41
PID 1580 wrote to memory of 1804	1580	net.exe	42
PID 1580 wrote to memory of 1804	1580	net.exe	42
PID 1580 wrote to memory of 1804	1580	net.exe	42
PID 1580 wrote to memory of 1804	1580	net.exe	42
PID 1268 wrote to memory of 1116	1268	software.exe	44
PID 1268 wrote to memory of 1116	1268	software.exe	44
PID 1268 wrote to memory of 1116	1268	software.exe	44
PID 1268 wrote to memory of 1116	1268	software.exe	44
PID 1116 wrote to memory of 1088	1116	cmd.exe	45
PID 1116 wrote to memory of 1088	1116	cmd.exe	45
PID 1116 wrote to memory of 1088	1116	cmd.exe	45
PID 1116 wrote to memory of 1088	1116	cmd.exe	45
PID 1088 wrote to memory of 2036	1088	net.exe	46
PID 1088 wrote to memory of 2036	1088	net.exe	46
PID 1088 wrote to memory of 2036	1088	net.exe	46
PID 1088 wrote to memory of 2036	1088	net.exe	46
PID 1268 wrote to memory of 1552	1268	software.exe	47
PID 1268 wrote to memory of 1552	1268	software.exe	47
PID 1268 wrote to memory of 1552	1268	software.exe	47
PID 1268 wrote to memory of 1552	1268	software.exe	47
PID 1552 wrote to memory of 1828	1552	cmd.exe	49
PID 1552 wrote to memory of 1828	1552	cmd.exe	49
PID 1552 wrote to memory of 1828	1552	cmd.exe	49
PID 1552 wrote to memory of 1828	1552	cmd.exe	49
PID 1828 wrote to memory of 1928	1828	net.exe	50
PID 1828 wrote to memory of 1928	1828	net.exe	50
PID 1828 wrote to memory of 1928	1828	net.exe	50
PID 1828 wrote to memory of 1928	1828	net.exe	50
PID 1268 wrote to memory of 1760	1268	software.exe	51
PID 1268 wrote to memory of 1760	1268	software.exe	51
PID 1268 wrote to memory of 1760	1268	software.exe	51
PID 1268 wrote to memory of 1760	1268	software.exe	51

C:\Users\Admin\AppData\Local\Temp\software.exe
"C:\Users\Admin\AppData\Local\Temp\software.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:476
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:568
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
PID:1624

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Decryption-Guide.txt
1⤵
PID:1412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Decryption-Guide.HTA"
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-89-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1980-72-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download