Analysis
-
max time kernel
65s -
max time network
125s -
resource
win7v191014 -
submitted
06-02-2020 11:02
Task
task1
Sample
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
Resource
win10v191014
0 signatures
General
-
Target
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
-
Size
376KB
-
MD5
a521f2c76e2212feb810e6bc1d35995a
-
SHA1
e0bc61d4e38c30f86d7236b431db50e411e60c06
-
SHA256
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382
-
SHA512
868ebdcb41453316f6dc6fa1344479df7b0f5807bebe4d17721d77ebacb8a7dc31f0e11f2cb9fcacd869fb2326b561ece3a5ad0999ba824e14255040f4ae8280
Score
10/10
Malware Config
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RenameUnregister.tiff d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Drops startup file 1 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\Videos\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RHK1DJ5\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Pictures\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O8Q277BG\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Libraries\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F0PWNRM0\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Documents\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 6 http://www.sfml-dev.org/ip-provider.php -
Drops file in System32 directory 1 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\CNFNOT.ICO d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02045_.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107158.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ExecutiveReport.dotx.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OPHPROXY.DLL.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\ONINTL.DLL.IDX_DLL d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST7MDT.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\SessionOwner.ico d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PRTF9.DLL d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.bfc.Email=[SupportOdveta@protonmail.com]ID=[93C6UNTAE1WSXK4].odveta d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Drops file in Windows directory 64 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exedescription ioc process File opened for modification C:\Windows\inf\mdmntt1.PNF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\volsnap.inf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\NETFXRepair.1031.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b883b83d1f72f1fcaf4acdef3c9c381f\Microsoft.MediaCenter.Bml.ni.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\diagnostics\system\Audio\CL_Utility.ps1 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\upcji.ttf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\Vani.ttf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe.aux d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Cursors\busy_il.cur d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\mangalb.ttf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\PolicyDefinitions\W32Time.admx d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\mdmbug3.inf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\wsearchidxpi\idxcntrs.h d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbc7ui.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\0f5d7a58829ce83220e8765313c62608\System.Data.DataSetExtensions.ni.dll.aux d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\diagnostics\system\Performance\RS_MultipleUsers.ps1 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\arcsas.inf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\cxraptor_philipstuv1236d_ibv64.inf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\SetupResources.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\wiabr002.PNF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\PolicyDefinitions\Setup.admx d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\batang.ttc d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\NETFXRepair.1043.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\diagnostics\system\Device\RS_UpdateDriver.ps1 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\System.Runtime.Serialization.ni.dll.aux d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallSqlState.sql d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\diagnostics\system\Search\en-US\CL_LocalizationData.psd1 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\ehome\Microsoft.MediaCenter.Shell.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Boot\EFI\ko-KR\bootmgfw.efi.mui d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\inf\mdmcom1.PNF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe.config d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\PolicyDefinitions\DeviceRedirection.admx d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\TerminalServer.adml d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersistSqlState.sql d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.JScript.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Outlook.config d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\mvboli.ttf d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Media\Festival\Windows Logon Sound.wav d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\sortkey.nlp d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Boot\PCAT\fr-FR\bootmgr.exe.mui d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\SCHLBKB.TTF d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\NETFXRepair.1040.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\361ef62867b1804328cf3616dc8a7f7b\System.Workflow.ComponentModel.ni.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.resx d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AdoNetDiag.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\8a2376658a24628765d359a0fafb3339\System.Printing.ni.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof.uninstall d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Fonts\app775.fon d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Http.dll d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exepid process 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1028 wrote to memory of 1424 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1424 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1424 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1424 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1424 wrote to memory of 1580 1424 cmd.exe net.exe PID 1424 wrote to memory of 1580 1424 cmd.exe net.exe PID 1424 wrote to memory of 1580 1424 cmd.exe net.exe PID 1424 wrote to memory of 1580 1424 cmd.exe net.exe PID 1580 wrote to memory of 1820 1580 net.exe net1.exe PID 1580 wrote to memory of 1820 1580 net.exe net1.exe PID 1580 wrote to memory of 1820 1580 net.exe net1.exe PID 1580 wrote to memory of 1820 1580 net.exe net1.exe PID 1028 wrote to memory of 1312 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1312 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1312 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1312 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1312 wrote to memory of 1440 1312 cmd.exe net.exe PID 1312 wrote to memory of 1440 1312 cmd.exe net.exe PID 1312 wrote to memory of 1440 1312 cmd.exe net.exe PID 1312 wrote to memory of 1440 1312 cmd.exe net.exe PID 1440 wrote to memory of 1132 1440 net.exe net1.exe PID 1440 wrote to memory of 1132 1440 net.exe net1.exe PID 1440 wrote to memory of 1132 1440 net.exe net1.exe PID 1440 wrote to memory of 1132 1440 net.exe net1.exe PID 1028 wrote to memory of 1128 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1128 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1128 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1128 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1128 wrote to memory of 836 1128 cmd.exe net.exe PID 1128 wrote to memory of 836 1128 cmd.exe net.exe PID 1128 wrote to memory of 836 1128 cmd.exe net.exe PID 1128 wrote to memory of 836 1128 cmd.exe net.exe PID 836 wrote to memory of 304 836 net.exe net1.exe PID 836 wrote to memory of 304 836 net.exe net1.exe PID 836 wrote to memory of 304 836 net.exe net1.exe PID 836 wrote to memory of 304 836 net.exe net1.exe PID 1028 wrote to memory of 2016 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 2016 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 2016 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 2016 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 2016 wrote to memory of 2008 2016 cmd.exe net.exe PID 2016 wrote to memory of 2008 2016 cmd.exe net.exe PID 2016 wrote to memory of 2008 2016 cmd.exe net.exe PID 2016 wrote to memory of 2008 2016 cmd.exe net.exe PID 2008 wrote to memory of 2044 2008 net.exe net1.exe PID 2008 wrote to memory of 2044 2008 net.exe net1.exe PID 2008 wrote to memory of 2044 2008 net.exe net1.exe PID 2008 wrote to memory of 2044 2008 net.exe net1.exe PID 1028 wrote to memory of 1984 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1984 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1984 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1984 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1984 wrote to memory of 660 1984 cmd.exe net.exe PID 1984 wrote to memory of 660 1984 cmd.exe net.exe PID 1984 wrote to memory of 660 1984 cmd.exe net.exe PID 1984 wrote to memory of 660 1984 cmd.exe net.exe PID 660 wrote to memory of 752 660 net.exe net1.exe PID 660 wrote to memory of 752 660 net.exe net1.exe PID 660 wrote to memory of 752 660 net.exe net1.exe PID 660 wrote to memory of 752 660 net.exe net1.exe PID 1028 wrote to memory of 1256 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1256 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1256 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe PID 1028 wrote to memory of 1256 1028 d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵