15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6

Analysis

max time kernel
129s
max time network
132s
platform
windows10_x64
resource
win10-en-20211104
submitted
08/12/2021, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software.exe
Size

3.2MB
MD5

9bb9bef710583acc0b74b42e9c244209
SHA1

ac0cb5474c2bd21263c3758aaff6420f7380f5b6
SHA256

15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6
SHA512

aa630dec6a967b9bbbad8425ac8afee443f7e37dbf21fe761fd3a4a27f3b78efdd92b13fd14a3e8931045d803ec52f7b1276f6534bf6b07e8ab1a4e74340ae17

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-EA4823170659 OUR Email :[email protected]

Emails

[email protected]

Signatures

Drops file in Drivers directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	software.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ImportShow.tiff	software.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectReset.tiff	software.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	software.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	software.exe
File opened for modification	C:\Windows\Media\Desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\SystemData\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	software.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	software.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	software.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\eeprom_ar6320_2p1_NFA354xp_SS_EU.bin	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wdma_usb.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	software.exe
File opened for modification	C:\Windows\SysWOW64\AppVEntSubsystems32.dll	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dnsapi.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\upnp.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\MsDtcWmi.mfl	software.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CloudStorageWizard.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\DevicePairingFolder.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\Microsoft.AppV.AppvClientComConsumer.resources.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.format.ps1xml	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterIPsecOffload.Format.ps1xml	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\ja-JP\PSDSCxMachine.strings.psd1	software.exe
File opened for modification	C:\Windows\SysWOW64\browcli.dll	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-Security-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\usbxhci.inf_loc	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_05d977a8d9cb7c99\serenum.sys	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa003.inf_amd64_a30880819970ec59\amd64\SA6X55.icc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\eeprom_ar6320_3p0_NFA344a_highTX_LE_3.bin	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\oledlg.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\KBDFR.DLL	software.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Graphics-DirectX-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\devmgmt.msc	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhpcl3.inf_amd64_0e666fb8f1b0545e\amd64\hpcfltw8.dll	software.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\usbstor.inf_loc	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-multimedia-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nepclbw.gpd	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa003.inf_amd64_a30880819970ec59\amd64\SA4300.icc	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WinSyncProviders.rll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\appwiz.cpl.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\AuthFWGP.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\dpnet.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\PhotoScreensaver.scr.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wdmaudio.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\connect.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\appmgr.dll	software.exe
File opened for modification	C:\Windows\SysWOW64\vaultcli.dll	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-MinInput-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\serialui.dll.mui	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_1c5d76930978e302\netmlx5.inf	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\slcext.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mciseq.dll.mui	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Dual-Drivers-onecoreuap-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\BasicRender.inf_loc	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msftedit.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\acctres.dll.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dcomcnfg.exe.mui	software.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\VAN.dll.mui	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CHSIME-Binaries-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Payments-Core-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BackgroundExecution-Group-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0386-MANIFEST.INI	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_6230bba6d69c81b4\Amd64\unishare3d-pipelineconfig.xml	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_c5a42cdc1adb9ade\usbnet.sys	software.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetTransportFilter.cdxml	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-Vpci-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-DriverClasses-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Education-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-SystemSettings-Privacy-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhpcl4.inf_amd64_9412589272562044\amd64\hpipcl3.dll	software.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Particles\fireworks.respack	software.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96.png	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bh_60x42.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated_contrast-white.png	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\ui-strings.js	software.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectStoreLogo.scale-200.png	software.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	software.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-250.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-16.png	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\TabTip32.exe.mui	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected],(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML	software.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\MedTile.scale-125.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-white.png	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.Diagram.Resources.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js	software.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20.png	software.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_24x24x32.png	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png	software.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js,(MJ-EA4823170659)([email protected]).wixawm	software.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	software.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-100.png	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Group-ds-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SmbDirect-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Spelling-Dictionaries-en-us-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy\Assets\WideTile.scale-125.png	software.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\MicrosoftEdgeSquare44x44.scale-150.png	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\clone.scale-140.png	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\CEIPEnable.admx	software.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Grammar\0804\SharedUIDisambig.0804.cfg	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt0d283adf#\c1414563a28a6b33e3b74ac893b7d986\System.Runtime.WindowsRuntime.ni.dll	software.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\en-US\CL_LocalizationData.psd1	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-black.png	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\Default.browser	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Drawing.resources.dll	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\ShellExperiences\SharePickerUI.dll	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Non-LTSB-RegulatedPackages-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupAppSizesList.settingcontent-ms	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\EncryptFilesonMove.adml	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OneCoreUAP-WCN-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.fr.resx	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Network-Foundation-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\Cursors\lappstrt.cur	software.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png	software.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-100.png	software.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64	software.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-36_altform-unplated.png	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Resume.m4a	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\telemetryrules\hxmail.exe_Rules.xml	software.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Guest-TimeSync-onecore-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Network-Foundation-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\SrpUxSnapIn\69e09b32c2b397c42d1b86557e3aaf09\SrpUxSnapIn.ni.dll	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Analog-PerceptionApi-Stub-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Loading.htm	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_32x32x32.png	software.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Guest-RemoteFx-onecoreuap-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NCB-mergedcomponents-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-100.png	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	software.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\_SMSvcHostPerfCounters.reg	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\EventLog.admx	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\RemovableStorage.adml	software.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_36x36x32.png	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	software.exe
File opened for modification	C:\Windows\Media\Focus4_22050hz.raw	software.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-SMB-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum	software.exe
File opened for modification	C:\Windows\PolicyDefinitions\MSAPolicy.admx	software.exe
File opened for modification	C:\Windows\servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat	software.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobelanguage-main.html	software.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0000\gthrctr.ini	software.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	software.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.DirectoryServices.Resources.dll	software.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Desktop\Setup\:<ϰŴA86-	software.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\:<所Šoft\RT푐Š	software.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:誸Ŵt.ex	software.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:㛠Št.ex	software.exe
File opened for modification	C:\Users\Default\Documents\My Music\:<ਘŴoft\LNธŴ岷眶曧누	software.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\:<ਘŴoft\RT뇘TŴ岷眶曧누	software.exe
File opened for modification	C:\Users\Default\Documents\My Videos\:<ਘŴoft\NP򶀓Ŵ岷眶曧누	software.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<㨀ŠA86-	software.exe
File opened for modification	C:\Users\Default\Documents\My Music\:<所Šoft\LN偐TŠ	software.exe
File opened for modification	C:\Users\Default\Documents\My Videos\:<所Šoft\NP剠TŠ	software.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe
3064	software.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3872	3064	software.exe	70
PID 3064 wrote to memory of 3872	3064	software.exe	70
PID 3064 wrote to memory of 3872	3064	software.exe	70
PID 3872 wrote to memory of 3824	3872	cmd.exe	72
PID 3872 wrote to memory of 3824	3872	cmd.exe	72
PID 3872 wrote to memory of 3824	3872	cmd.exe	72
PID 3824 wrote to memory of 348	3824	net.exe	73
PID 3824 wrote to memory of 348	3824	net.exe	73
PID 3824 wrote to memory of 348	3824	net.exe	73
PID 3064 wrote to memory of 1584	3064	software.exe	74
PID 3064 wrote to memory of 1584	3064	software.exe	74
PID 3064 wrote to memory of 1584	3064	software.exe	74
PID 3064 wrote to memory of 2300	3064	software.exe	76
PID 3064 wrote to memory of 2300	3064	software.exe	76
PID 3064 wrote to memory of 2300	3064	software.exe	76
PID 3064 wrote to memory of 60	3064	software.exe	78
PID 3064 wrote to memory of 60	3064	software.exe	78
PID 3064 wrote to memory of 60	3064	software.exe	78
PID 3064 wrote to memory of 2452	3064	software.exe	80
PID 3064 wrote to memory of 2452	3064	software.exe	80
PID 3064 wrote to memory of 2452	3064	software.exe	80
PID 2452 wrote to memory of 660	2452	cmd.exe	82
PID 2452 wrote to memory of 660	2452	cmd.exe	82
PID 2452 wrote to memory of 660	2452	cmd.exe	82
PID 660 wrote to memory of 1508	660	net.exe	83
PID 660 wrote to memory of 1508	660	net.exe	83
PID 660 wrote to memory of 1508	660	net.exe	83
PID 3064 wrote to memory of 4064	3064	software.exe	84
PID 3064 wrote to memory of 4064	3064	software.exe	84
PID 3064 wrote to memory of 4064	3064	software.exe	84
PID 4064 wrote to memory of 2784	4064	cmd.exe	86
PID 4064 wrote to memory of 2784	4064	cmd.exe	86
PID 4064 wrote to memory of 2784	4064	cmd.exe	86
PID 2784 wrote to memory of 2160	2784	net.exe	87
PID 2784 wrote to memory of 2160	2784	net.exe	87
PID 2784 wrote to memory of 2160	2784	net.exe	87
PID 3064 wrote to memory of 1568	3064	software.exe	88
PID 3064 wrote to memory of 1568	3064	software.exe	88
PID 3064 wrote to memory of 1568	3064	software.exe	88
PID 1568 wrote to memory of 2708	1568	cmd.exe	90
PID 1568 wrote to memory of 2708	1568	cmd.exe	90
PID 1568 wrote to memory of 2708	1568	cmd.exe	90
PID 2708 wrote to memory of 1116	2708	net.exe	91
PID 2708 wrote to memory of 1116	2708	net.exe	91
PID 2708 wrote to memory of 1116	2708	net.exe	91
PID 3064 wrote to memory of 496	3064	software.exe	92
PID 3064 wrote to memory of 496	3064	software.exe	92
PID 3064 wrote to memory of 496	3064	software.exe	92
PID 496 wrote to memory of 3468	496	cmd.exe	94
PID 496 wrote to memory of 3468	496	cmd.exe	94
PID 496 wrote to memory of 3468	496	cmd.exe	94
PID 3064 wrote to memory of 1016	3064	software.exe	95
PID 3064 wrote to memory of 1016	3064	software.exe	95
PID 3064 wrote to memory of 1016	3064	software.exe	95
PID 1016 wrote to memory of 3396	1016	cmd.exe	97
PID 1016 wrote to memory of 3396	1016	cmd.exe	97
PID 1016 wrote to memory of 3396	1016	cmd.exe	97
PID 3064 wrote to memory of 4060	3064	software.exe	98
PID 3064 wrote to memory of 4060	3064	software.exe	98
PID 3064 wrote to memory of 4060	3064	software.exe	98
PID 4060 wrote to memory of 2252	4060	cmd.exe	100
PID 4060 wrote to memory of 2252	4060	cmd.exe	100
PID 4060 wrote to memory of 2252	4060	cmd.exe	100
PID 2252 wrote to memory of 3260	2252	net.exe	101

C:\Users\Admin\AppData\Local\Temp\software.exe
"C:\Users\Admin\AppData\Local\Temp\software.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:692
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads