ouroboros | c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa

General

Target

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
Size

1011KB
MD5

73528b74e4edb1c32a4d88abe34ae437
SHA1

b97c0fc8a34e88c03704e43829c550d765398a3c
SHA256

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa
SHA512

523cd56a44e91fc3084b76d68dbce6e77dac190716833cce455d2091894b403def7132475ec748b0d26fed90a4fcfc5d5f65f0eba098bc7d8ac4853ae9e547ec

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DenyOpen.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\ResetSend.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\TestEnter.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPublish.tiff	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops startup file 1 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2CDOEA4\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 2 http://www.sfml-dev.org/ip-provider.php
Drops file in System32 directory 1 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	flow	ioc
HTTP URL	2	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops file in Program Files directory 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DenyPop.xht	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\BASMLA.XSL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RTFHTML.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\EditUnpublish.svgz.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCDDSUI.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jre7\release.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\Java\jre7\bin\npt.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\SplitLimit.MTS	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msjro.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00392_.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Drops file in Windows directory 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_ja_b77a5c561934e089\System.RunTime.Serialization.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_ja_31bf3856ad364e35\TaskScheduler.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\495f263cbca8e7d0462ee309a634e115\PresentationFramework.Luna.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\14afe54e24cf09fe6c371fc47cfabf0e\Microsoft.Build.Engine.ni.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.PowerPoint\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936\System.Data.Entity.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Security.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Security.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\efec1926513ece87ff644670cdd80031\PresentationUI.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\84846480d6281bf831a97d07f712d09e\System.Activities.DurableInstancing.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_fr_31bf3856ad364e35\napsnap.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\dc575bdefe4a3442f165f8418535d9af\Microsoft.Office.BusinessApplications.Runtime.ni.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\d5f4765d7a361b979d8998c5072ffa01\System.Windows.Forms.DataVisualization.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Runtime.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\da42912f997fae780054f0c3a6b47fea\Microsoft.GroupPolicy.Reporting.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\naphlpr\6.1.0.0__31bf3856ad364e35\NAPHLPR.DLL	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\38c67260f10996153532695d39649e6b\Microsoft.VisualBasic.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\22b5364c10d315a7f0a1fbd23f671c5a\Microsoft.Transactions.Bridge.Dtc.ni.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\9a3936273fb6a2e93b67f53c605d69df\System.Web.Mobile.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\fveupdate.exe	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_fr_b03f5f7f11d50a3a\sysglobl.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_fr_b77a5c561934e089\System.Data.Entity.Design.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_de_31bf3856ad364e35\WindowsBase.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\56a7faf970109dc1dc6b76f643d93c5f\ehiActivScp.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehshell\d1dc67c666bc15291be843bd67cd2a2e\ehshell.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\710a5c9e16388ca7a722211f4d4867aa\System.IdentityModel.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\bfaf8f86e69928fb2f67987c0203f603\PresentationFramework.ni.dll.Email=[josefrendal797@gmail.com]ID=[J3NXKTPZ2OCGW0S].odveta	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcstore\67c2902f53638a9056174f6130a8bde7\mcstore.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\bb69e031fd35b02403c7c22ea5c8e4d4\System.Data.Linq.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDHost.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.workflow.runtime.resources\3.0.0.0_es_31bf3856ad364e35\System.Workflow.Runtime.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\bec5113e390005d3c5767dc09fdb6308\PresentationFramework.AeroLite.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.0.Microsoft.Interop.Security.AzRoles.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_it_31bf3856ad364e35\MIGUIControls.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_es_b77a5c561934e089\mscorlib.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_de_31bf3856ad364e35\System.Web.Abstractions.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe\3.5.1.0__89845dcd8080cc91\System.Data.SqlServerCe.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiProxy\50691bdee045a2df00f00ac461844c5f\ehiProxy.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\b9894ff5da01b06ecbdb489cf34439d4\System.Messaging.ni.dll.aux	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\PFRO.log	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_fr_31bf3856ad364e35\EventViewer.resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.SyncServices.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_fr_b77a5c561934e089\System.Web.Entity.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\PresentationFramework.Royale.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiiTV\6.1.0.0__31bf3856ad364e35\ehiiTV.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.Resources.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni.dll	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

pid	process
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1944	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1944 wrote to memory of 1112	1944	cmd.exe	net.exe
PID 1944 wrote to memory of 1112	1944	cmd.exe	net.exe
PID 1944 wrote to memory of 1112	1944	cmd.exe	net.exe
PID 1944 wrote to memory of 1112	1944	cmd.exe	net.exe
PID 1112 wrote to memory of 1688	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1688	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1688	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1688	1112	net.exe	net1.exe
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1696	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1696 wrote to memory of 1588	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1588	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1588	1696	cmd.exe	net.exe
PID 1696 wrote to memory of 1588	1696	cmd.exe	net.exe
PID 1588 wrote to memory of 1708	1588	net.exe	net1.exe
PID 1588 wrote to memory of 1708	1588	net.exe	net1.exe
PID 1588 wrote to memory of 1708	1588	net.exe	net1.exe
PID 1588 wrote to memory of 1708	1588	net.exe	net1.exe
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1648	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 952	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 952	1648	cmd.exe	net.exe
PID 1648 wrote to memory of 952	1648	cmd.exe	net.exe
PID 952 wrote to memory of 948	952	net.exe	net1.exe
PID 952 wrote to memory of 948	952	net.exe	net1.exe
PID 952 wrote to memory of 948	952	net.exe	net1.exe
PID 952 wrote to memory of 948	952	net.exe	net1.exe
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1764	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1764 wrote to memory of 860	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 860	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 860	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 860	1764	cmd.exe	net.exe
PID 860 wrote to memory of 432	860	net.exe	net1.exe
PID 860 wrote to memory of 432	860	net.exe	net1.exe
PID 860 wrote to memory of 432	860	net.exe	net1.exe
PID 860 wrote to memory of 432	860	net.exe	net1.exe
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1908	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1908 wrote to memory of 1152	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1152	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1152	1908	cmd.exe	net.exe
PID 1908 wrote to memory of 1152	1908	cmd.exe	net.exe
PID 1152 wrote to memory of 1812	1152	net.exe	net1.exe
PID 1152 wrote to memory of 1812	1152	net.exe	net1.exe
PID 1152 wrote to memory of 1812	1152	net.exe	net1.exe
PID 1152 wrote to memory of 1812	1152	net.exe	net1.exe
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe
PID 1864 wrote to memory of 1104	1864	c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe
"C:\Users\Admin\AppData\Local\Temp\c3a3acd8241a5fa5c2f2d596e7b8aecb0e427e7b399ee5ef6c7dfea8d86ebdaa.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
PID:1720

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
PID:1252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:828

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1876

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1520

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-79-0x0000000000000000-mapping.dmp

Download
memory/432-65-0x0000000000000000-mapping.dmp

Download
memory/544-74-0x0000000000000000-mapping.dmp

Download
memory/580-84-0x0000000000000000-mapping.dmp

Download
memory/828-75-0x0000000000000000-mapping.dmp

Download
memory/860-64-0x0000000000000000-mapping.dmp

Download
memory/948-62-0x0000000000000000-mapping.dmp

Download
memory/952-61-0x0000000000000000-mapping.dmp

Download
memory/1040-70-0x0000000000000000-mapping.dmp

Download
memory/1104-69-0x0000000000000000-mapping.dmp

Download
memory/1112-55-0x0000000000000000-mapping.dmp

Download
memory/1112-85-0x0000000000000000-mapping.dmp

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1248-76-0x0000000000000000-mapping.dmp

Download
memory/1252-73-0x0000000000000000-mapping.dmp

Download
memory/1520-81-0x0000000000000000-mapping.dmp

Download
memory/1548-71-0x0000000000000000-mapping.dmp

Download
memory/1588-58-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1696-57-0x0000000000000000-mapping.dmp

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1720-72-0x0000000000000000-mapping.dmp

Download
memory/1744-80-0x0000000000000000-mapping.dmp

Download
memory/1764-63-0x0000000000000000-mapping.dmp

Download
memory/1768-83-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1768-82-0x0000000000000000-mapping.dmp

Download
memory/1812-68-0x0000000000000000-mapping.dmp

Download
memory/1876-78-0x0000000000000000-mapping.dmp

Download
memory/1908-66-0x0000000000000000-mapping.dmp

Download
memory/1912-77-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads