ouroboros | d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382

Resubmissions

06-02-2020 11:15

200206-yr9smta93e 8

06-02-2020 11:02

200206-3dy8j7a4kj 10

Analysis

max time kernel
65s
max time network
125s
resource
win7v191014
submitted
06-02-2020 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
Size

376KB
MD5

a521f2c76e2212feb810e6bc1d35995a
SHA1

e0bc61d4e38c30f86d7236b431db50e411e60c06
SHA256

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382
SHA512

868ebdcb41453316f6dc6fa1344479df7b0f5807bebe4d17721d77ebacb8a7dc31f0e11f2cb9fcacd869fb2326b561ece3a5ad0999ba824e14255040f4ae8280

Score

10^/10

ouroboros xmrig evasion miner ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RenameUnregister.tiff	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops startup file 1 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RHK1DJ5\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O8Q277BG\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F0PWNRM0\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 6 http://www.sfml-dev.org/ip-provider.php
Drops file in System32 directory 1 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	flow	ioc
HTTP URL	6	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops file in Program Files directory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\CNFNOT.ICO	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02045_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107158.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\ExecutiveReport.dotx.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OPHPROXY.DLL.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\ONINTL.DLL.IDX_DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEWSS.DLL.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\SessionOwner.ico	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PRTF9.DLL	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc.Email=[[email protected]]ID=[93C6UNTAE1WSXK4].odveta	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Drops file in Windows directory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

description	ioc	process
File opened for modification	C:\Windows\inf\mdmntt1.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\volsnap.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1031.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b883b83d1f72f1fcaf4acdef3c9c381f\Microsoft.MediaCenter.Bml.ni.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\CL_Utility.ps1	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\upcji.ttf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\Vani.ttf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe.aux	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Cursors\busy_il.cur	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\mangalb.ttf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\PolicyDefinitions\W32Time.admx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\mdmbug3.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\idxcntrs.h	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbc7ui.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\0f5d7a58829ce83220e8765313c62608\System.Data.DataSetExtensions.ni.dll.aux	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\RS_MultipleUsers.ps1	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\arcsas.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\cxraptor_philipstuv1236d_ibv64.inf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\SetupResources.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\wiabr002.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\PolicyDefinitions\Setup.admx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\batang.ttc	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1043.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_UpdateDriver.ps1	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\System.Runtime.Serialization.ni.dll.aux	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallSqlState.sql	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\diagnostics\system\Search\en-US\CL_LocalizationData.psd1	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\ehome\Microsoft.MediaCenter.Shell.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Boot\EFI\ko-KR\bootmgfw.efi.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\inf\mdmcom1.PNF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe.config	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\PolicyDefinitions\DeviceRedirection.admx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\TerminalServer.adml	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersistSqlState.sql	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.JScript.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Outlook.config	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\mvboli.ttf	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Media\Festival\Windows Logon Sound.wav	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\sortkey.nlp	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-FR\bootmgr.exe.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\SCHLBKB.TTF	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1040.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\361ef62867b1804328cf3616dc8a7f7b\System.Workflow.ComponentModel.ni.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.resx	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AdoNetDiag.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\8a2376658a24628765d359a0fafb3339\System.Printing.ni.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof.uninstall	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Fonts\app775.fon	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Http.dll	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

pid	process
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1028 wrote to memory of 1424	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1424	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1424	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1424	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1424 wrote to memory of 1580	1424	cmd.exe	net.exe
PID 1424 wrote to memory of 1580	1424	cmd.exe	net.exe
PID 1424 wrote to memory of 1580	1424	cmd.exe	net.exe
PID 1424 wrote to memory of 1580	1424	cmd.exe	net.exe
PID 1580 wrote to memory of 1820	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1820	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1820	1580	net.exe	net1.exe
PID 1580 wrote to memory of 1820	1580	net.exe	net1.exe
PID 1028 wrote to memory of 1312	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1312	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1312	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1312	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1312 wrote to memory of 1440	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1440	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1440	1312	cmd.exe	net.exe
PID 1312 wrote to memory of 1440	1312	cmd.exe	net.exe
PID 1440 wrote to memory of 1132	1440	net.exe	net1.exe
PID 1440 wrote to memory of 1132	1440	net.exe	net1.exe
PID 1440 wrote to memory of 1132	1440	net.exe	net1.exe
PID 1440 wrote to memory of 1132	1440	net.exe	net1.exe
PID 1028 wrote to memory of 1128	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1128	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1128	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1128	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1128 wrote to memory of 836	1128	cmd.exe	net.exe
PID 1128 wrote to memory of 836	1128	cmd.exe	net.exe
PID 1128 wrote to memory of 836	1128	cmd.exe	net.exe
PID 1128 wrote to memory of 836	1128	cmd.exe	net.exe
PID 836 wrote to memory of 304	836	net.exe	net1.exe
PID 836 wrote to memory of 304	836	net.exe	net1.exe
PID 836 wrote to memory of 304	836	net.exe	net1.exe
PID 836 wrote to memory of 304	836	net.exe	net1.exe
PID 1028 wrote to memory of 2016	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 2016	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 2016	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 2016	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 2016 wrote to memory of 2008	2016	cmd.exe	net.exe
PID 2016 wrote to memory of 2008	2016	cmd.exe	net.exe
PID 2016 wrote to memory of 2008	2016	cmd.exe	net.exe
PID 2016 wrote to memory of 2008	2016	cmd.exe	net.exe
PID 2008 wrote to memory of 2044	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2044	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2044	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2044	2008	net.exe	net1.exe
PID 1028 wrote to memory of 1984	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1984	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1984	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1984	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1984 wrote to memory of 660	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 660	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 660	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 660	1984	cmd.exe	net.exe
PID 660 wrote to memory of 752	660	net.exe	net1.exe
PID 660 wrote to memory of 752	660	net.exe	net1.exe
PID 660 wrote to memory of 752	660	net.exe	net1.exe
PID 660 wrote to memory of 752	660	net.exe	net1.exe
PID 1028 wrote to memory of 1256	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1256	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1256	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe
PID 1028 wrote to memory of 1256	1028	d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe
"C:\Users\Admin\AppData\Local\Temp\d5e37ee4ac4a5d9b798a2d1e80177e67dcf1ea31f21674ed8a1e20851d52f382.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:624
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:896
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-0-0x0000000000C50000-0x0000000000C61000-memory.dmp

Filesize
68KB

Download
memory/1028-1-0x0000000001060000-0x0000000001071000-memory.dmp

Filesize
68KB

Download
memory/1028-2-0x0000000000C50000-0x0000000000C61000-memory.dmp

Filesize
68KB

Download