ouroboros | 95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e

Resubmissions

11-02-2020 15:08

200211-yh5d2v3rpa 10

11-02-2020 13:53

200211-smh4fqemta 10

Analysis

max time kernel
121s
max time network
136s
platform
windows7_x64
resource
win7v191014
submitted
11-02-2020 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
Size

986KB
MD5

934984b11e6690c10e7ad5bf1f0cf274
SHA1

5c826f0bca1460508b0a3db4b0e5f9fbd7c2104f
SHA256

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e
SHA512

4cc96789b2c6a40b94d7dc5d3ed11876dc643172211114ee588bfc0988f00cc3508d0d1e5d39a08e29b003f12429ba46fa07ac58402d6838b7263a640b20f13e

Score

10^/10

ouroboros xmrig evasion miner ransomware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RenameUnregister.tiff	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RHK1DJ5\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA8Z0IE6\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\$Recycle.Bin\S-1-5-21-1774239815-1814403401-2200974991-1000\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Public\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	7	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\infocardapi.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\netapi32.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\iertutil.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dmscript.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\idndl.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\netbios.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons004a.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\drmmgrtn.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\Kswdmcap.ax	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\msdadiag.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\mycomput.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0021.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\FXSCOM.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\fthsvc.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\MsCtfMonitor.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\NaturalLanguage6.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\NlsData000f.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\C_10005.NLS	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\fdProxy.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\fontext.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\nci.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\elslad.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dpnhupnp.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\muifontsetup.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\miutils.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\DeviceCenter.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\C_720.NLS	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\duser.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\KBDARMW.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\hnetmon.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dimsjob.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dmloader.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\nsi.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\C_866.NLS	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\C_863.NLS	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dpx.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dsrole.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\bitsprx5.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\C_IS2022.DLL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\iac25_32.ax	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\netprofm.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\BWUnpairElevated.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\msdtcuiu.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\msnetobj.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\nlsbres.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\azroleui.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\clfsw32.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\fphc.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SysWOW64\imapi2fs.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PROOF\MSTH7FR.LEX	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00274_.WMF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174639.WMF	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\msproof7.dll.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099202.GIF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\NOTEBOOK.JPG	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\Microsoft.Ink.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0212701.WMF.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLOOK.HOL	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.Email=[[email protected]]ID=[GYOT86K5IU3HRD1].odveta	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\CreateDisc\SFXPlugins\StandardFX_Plugin.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\hpoa1ss.inf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Resources.Writer.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\AppLocker.psd1	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\74de34cd518bf49352c8346149ddfbc1\Microsoft.VisualC.ni.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ehome\segoemcl.ttf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGB.IMD	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe.aux	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\GB-3.url	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\PolicyDefinitions\Explorer.admx	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\AppPatch\AcLayers.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.config	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\normnfc.nlp	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.AddIn.Contract.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\8ad0e1382ab6565741bbb64b965f2748\System.Runtime.Serialization.Formatters.Soap.ni.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14b62006#\2c7e795fb7d690d3b8931d360e4ce7f5\System.ServiceModel.Activation.ni.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Classic.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.OverrideTasks	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\84846480d6281bf831a97d07f712d09e\System.Activities.DurableInstancing.ni.dll.aux	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\en-US\CL_LocalizationData.psd1	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\mdmbsb.inf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationHostDLL.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\60b93ce08d30a2fba087f8630a504cb8\System.ServiceModel.Web.ni.dll.aux	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Fonts\svgasys.fon	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.vrg	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~sl-SI~7.1.7601.16492.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\e27ae693b6e71bb689ec66761a65901f\System.ServiceModel.ni.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\mdm5674a.inf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\tsgenericusbdriver.inf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_dataperfcounters_shared12_neutral.ini	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Summary.xml	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\CvtResUI.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\ehome\MediaCenterWebLauncher.exe.manifest	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.MemoryMappedFiles.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Fonts\8514oem.fon	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\prnxx002.PNF	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\eula.rtf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\2a8d6efe5a99d9e6b03587df841c2087\System.IdentityModel.Services.ni.dll	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\inf\mdmosi.inf	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-LocalPack-CA-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1264	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	28
PID 1108 wrote to memory of 1264	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	28
PID 1108 wrote to memory of 1264	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	28
PID 1108 wrote to memory of 1264	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	28
PID 1264 wrote to memory of 1156	1264	cmd.exe	30
PID 1264 wrote to memory of 1156	1264	cmd.exe	30
PID 1264 wrote to memory of 1156	1264	cmd.exe	30
PID 1264 wrote to memory of 1156	1264	cmd.exe	30
PID 1156 wrote to memory of 820	1156	net.exe	31
PID 1156 wrote to memory of 820	1156	net.exe	31
PID 1156 wrote to memory of 820	1156	net.exe	31
PID 1156 wrote to memory of 820	1156	net.exe	31
PID 1108 wrote to memory of 1020	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	32
PID 1108 wrote to memory of 1020	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	32
PID 1108 wrote to memory of 1020	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	32
PID 1108 wrote to memory of 1020	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	32
PID 1020 wrote to memory of 1408	1020	cmd.exe	34
PID 1020 wrote to memory of 1408	1020	cmd.exe	34
PID 1020 wrote to memory of 1408	1020	cmd.exe	34
PID 1020 wrote to memory of 1408	1020	cmd.exe	34
PID 1408 wrote to memory of 1468	1408	net.exe	35
PID 1408 wrote to memory of 1468	1408	net.exe	35
PID 1408 wrote to memory of 1468	1408	net.exe	35
PID 1408 wrote to memory of 1468	1408	net.exe	35
PID 1108 wrote to memory of 1440	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	36
PID 1108 wrote to memory of 1440	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	36
PID 1108 wrote to memory of 1440	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	36
PID 1108 wrote to memory of 1440	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	36
PID 1440 wrote to memory of 1460	1440	cmd.exe	38
PID 1440 wrote to memory of 1460	1440	cmd.exe	38
PID 1440 wrote to memory of 1460	1440	cmd.exe	38
PID 1440 wrote to memory of 1460	1440	cmd.exe	38
PID 1460 wrote to memory of 596	1460	net.exe	39
PID 1460 wrote to memory of 596	1460	net.exe	39
PID 1460 wrote to memory of 596	1460	net.exe	39
PID 1460 wrote to memory of 596	1460	net.exe	39
PID 1108 wrote to memory of 544	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	40
PID 1108 wrote to memory of 544	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	40
PID 1108 wrote to memory of 544	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	40
PID 1108 wrote to memory of 544	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	40
PID 544 wrote to memory of 1348	544	cmd.exe	42
PID 544 wrote to memory of 1348	544	cmd.exe	42
PID 544 wrote to memory of 1348	544	cmd.exe	42
PID 544 wrote to memory of 1348	544	cmd.exe	42
PID 1348 wrote to memory of 1928	1348	net.exe	43
PID 1348 wrote to memory of 1928	1348	net.exe	43
PID 1348 wrote to memory of 1928	1348	net.exe	43
PID 1348 wrote to memory of 1928	1348	net.exe	43
PID 1108 wrote to memory of 1972	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	44
PID 1108 wrote to memory of 1972	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	44
PID 1108 wrote to memory of 1972	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	44
PID 1108 wrote to memory of 1972	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	44
PID 1972 wrote to memory of 1116	1972	cmd.exe	46
PID 1972 wrote to memory of 1116	1972	cmd.exe	46
PID 1972 wrote to memory of 1116	1972	cmd.exe	46
PID 1972 wrote to memory of 1116	1972	cmd.exe	46
PID 1116 wrote to memory of 2044	1116	net.exe	47
PID 1116 wrote to memory of 2044	1116	net.exe	47
PID 1116 wrote to memory of 2044	1116	net.exe	47
PID 1116 wrote to memory of 2044	1116	net.exe	47
PID 1108 wrote to memory of 2032	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	48
PID 1108 wrote to memory of 2032	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	48
PID 1108 wrote to memory of 2032	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	48
PID 1108 wrote to memory of 2032	1108	95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe	48

C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
"C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:836
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:820
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-1-0x0000000001240000-0x0000000001251000-memory.dmp

Filesize
68KB

Download
memory/1108-0-0x0000000000BB0000-0x0000000000BC1000-memory.dmp

Filesize
68KB

Download
memory/1108-2-0x0000000000BB0000-0x0000000000BC1000-memory.dmp

Filesize
68KB

Download