ouroboros | c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa

Analysis

max time kernel
138s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
Size

1011KB
MD5

73528b74e4edb1c32a4d88abe34ae437
SHA1

b97c0fc8a34e88c03704e43829c550d765398a3c
SHA256

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa
SHA512

523cd56a44e91fc3084b76d68dbce6e77dac190716833cce455d2091894b403def7132475ec748b0d26fed90a4fcfc5d5f65f0eba098bc7d8ac4853ae9e547ec

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DenyOpen.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\ResetSend.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\TestEnter.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPublish.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2CDOEA4\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	2	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DenyPop.xht	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\BASMLA.XSL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RTFHTML.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\EditUnpublish.svgz.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCDDSUI.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\release.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jre7\bin\npt.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\SplitLimit.MTS	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msjro.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00392_.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_ja_b77a5c561934e089\System.RunTime.Serialization.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_ja_31bf3856ad364e35\TaskScheduler.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\495f263cbca8e7d0462ee309a634e115\PresentationFramework.Luna.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\14afe54e24cf09fe6c371fc47cfabf0e\Microsoft.Build.Engine.ni.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.PowerPoint\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936\System.Data.Entity.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Security.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Security.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\efec1926513ece87ff644670cdd80031\PresentationUI.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\84846480d6281bf831a97d07f712d09e\System.Activities.DurableInstancing.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_fr_31bf3856ad364e35\napsnap.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\dc575bdefe4a3442f165f8418535d9af\Microsoft.Office.BusinessApplications.Runtime.ni.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\d5f4765d7a361b979d8998c5072ffa01\System.Windows.Forms.DataVisualization.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Runtime.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\da42912f997fae780054f0c3a6b47fea\Microsoft.GroupPolicy.Reporting.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\naphlpr\6.1.0.0__31bf3856ad364e35\NAPHLPR.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\38c67260f10996153532695d39649e6b\Microsoft.VisualBasic.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\22b5364c10d315a7f0a1fbd23f671c5a\Microsoft.Transactions.Bridge.Dtc.ni.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\9a3936273fb6a2e93b67f53c605d69df\System.Web.Mobile.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\fveupdate.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_fr_b03f5f7f11d50a3a\sysglobl.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_fr_b77a5c561934e089\System.Data.Entity.Design.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_de_31bf3856ad364e35\WindowsBase.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\56a7faf970109dc1dc6b76f643d93c5f\ehiActivScp.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehshell\d1dc67c666bc15291be843bd67cd2a2e\ehshell.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\710a5c9e16388ca7a722211f4d4867aa\System.IdentityModel.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\bfaf8f86e69928fb2f67987c0203f603\PresentationFramework.ni.dll.Email=[[email protected]]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcstore\67c2902f53638a9056174f6130a8bde7\mcstore.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\bb69e031fd35b02403c7c22ea5c8e4d4\System.Data.Linq.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDHost.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.workflow.runtime.resources\3.0.0.0_es_31bf3856ad364e35\System.Workflow.Runtime.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\bec5113e390005d3c5767dc09fdb6308\PresentationFramework.AeroLite.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.0.Microsoft.Interop.Security.AzRoles.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_it_31bf3856ad364e35\MIGUIControls.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_es_b77a5c561934e089\mscorlib.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_de_31bf3856ad364e35\System.Web.Abstractions.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe\3.5.1.0__89845dcd8080cc91\System.Data.SqlServerCe.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiProxy\50691bdee045a2df00f00ac461844c5f\ehiProxy.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\b9894ff5da01b06ecbdb489cf34439d4\System.Messaging.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\PFRO.log	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_fr_31bf3856ad364e35\EventViewer.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.SyncServices.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_fr_b77a5c561934e089\System.Web.Entity.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\PresentationFramework.Royale.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiiTV\6.1.0.0__31bf3856ad364e35\ehiiTV.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	29
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	29
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	29
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	29
PID 1944 wrote to memory of 1112	1944	cmd.exe	31
PID 1944 wrote to memory of 1112	1944	cmd.exe	31
PID 1944 wrote to memory of 1112	1944	cmd.exe	31
PID 1944 wrote to memory of 1112	1944	cmd.exe	31
PID 1112 wrote to memory of 1688	1112	net.exe	32
PID 1112 wrote to memory of 1688	1112	net.exe	32
PID 1112 wrote to memory of 1688	1112	net.exe	32
PID 1112 wrote to memory of 1688	1112	net.exe	32
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	33
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	33
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	33
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	33
PID 1696 wrote to memory of 1588	1696	cmd.exe	35
PID 1696 wrote to memory of 1588	1696	cmd.exe	35
PID 1696 wrote to memory of 1588	1696	cmd.exe	35
PID 1696 wrote to memory of 1588	1696	cmd.exe	35
PID 1588 wrote to memory of 1708	1588	net.exe	36
PID 1588 wrote to memory of 1708	1588	net.exe	36
PID 1588 wrote to memory of 1708	1588	net.exe	36
PID 1588 wrote to memory of 1708	1588	net.exe	36
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	37
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	37
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	37
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	37
PID 1648 wrote to memory of 952	1648	cmd.exe	39
PID 1648 wrote to memory of 952	1648	cmd.exe	39
PID 1648 wrote to memory of 952	1648	cmd.exe	39
PID 1648 wrote to memory of 952	1648	cmd.exe	39
PID 952 wrote to memory of 948	952	net.exe	40
PID 952 wrote to memory of 948	952	net.exe	40
PID 952 wrote to memory of 948	952	net.exe	40
PID 952 wrote to memory of 948	952	net.exe	40
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	41
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	41
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	41
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	41
PID 1764 wrote to memory of 860	1764	cmd.exe	43
PID 1764 wrote to memory of 860	1764	cmd.exe	43
PID 1764 wrote to memory of 860	1764	cmd.exe	43
PID 1764 wrote to memory of 860	1764	cmd.exe	43
PID 860 wrote to memory of 432	860	net.exe	44
PID 860 wrote to memory of 432	860	net.exe	44
PID 860 wrote to memory of 432	860	net.exe	44
PID 860 wrote to memory of 432	860	net.exe	44
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	45
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	45
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	45
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	45
PID 1908 wrote to memory of 1152	1908	cmd.exe	47
PID 1908 wrote to memory of 1152	1908	cmd.exe	47
PID 1908 wrote to memory of 1152	1908	cmd.exe	47
PID 1908 wrote to memory of 1152	1908	cmd.exe	47
PID 1152 wrote to memory of 1812	1152	net.exe	48
PID 1152 wrote to memory of 1812	1152	net.exe	48
PID 1152 wrote to memory of 1812	1152	net.exe	48
PID 1152 wrote to memory of 1812	1152	net.exe	48
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	49
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	49
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	49
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	49

C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
"C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:828
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:580
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-83-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download