95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e

General
Target

95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

Filesize

986KB

Completed

11-02-2020 15:13

Score
10 /10
Malware Config
Signatures 13

Filter: none

Defense Evasion
Lateral Movement
Persistence
  • Modifies service
    netsh.exenetsh.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfignetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UInetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecsnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UInetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroupsnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shasnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroupsnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shasnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecsnetsh.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfignetsh.exe
  • Drops file in Program Files directory
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Chihuahua.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jre7\bin\java.dll.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File renamedC:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll => C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\ENGIDX.DAT.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Java\jre7\lib\zi\America\Toronto95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Document Themes 14\Foundry.thmx.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\7-Zip\Lang\br.txt.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jre7\lib\fontconfig.bfc.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File renamedC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Microsoft Office\Office14\mscss7es.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\jce.jar95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\accessibility.properties95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\ACCDDS.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\Microsoft Office\Document Themes 14\Trek.thmx95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14677_.GIF.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\PUBWIZ\RESUME.DPV.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\MCPS.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.Email=[lilmoonhack6677@protonmail.com]ID=[5YA7XGQRLH92VO1].odveta95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Drops file in System32 directory
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\en-US\UIAnimation.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\fi-FI\WMPhoto.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\FirewallAPI.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\pcl.sep95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\wiavideo.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\prnca00b.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNB_0274.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\modemui.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~sl-SI~7.1.7601.16492.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\amdide.sys95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHL750S.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\mshdc.inf95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\migwiz\dlmanifests\BITSExtensions-Server-DL.man95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpfrsw71.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N03.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\keyiso.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\hcw72b64.PNF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NGJ9F.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1331E3.PPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\RegCtrl.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\en-US\wiabr005.inf_loc95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\prnsh002.PNF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igkrng500.bin95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\mdmgl005.PNF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\dswave.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\fsmgmt.msc95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\FXSRESM.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\msnetobj.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\NlsLexicons0046.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx004.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNB_0297.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMW812.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV2191E3.PPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\windowssideshowenhanceddriver.inf_amd64_neutral_184a2ef2a8f57c33\windowssideshowenhanceddriver.PNF95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\ipnathlp.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\zh-CN\DWrite.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\keymgr.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\wbem\ssdpsrv.mof95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\MPG4DECD.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00b.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\hiddigi.inf95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LIMC0.DLL95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\LXE342N.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\xcmemVx64.sys95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\WinFax.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\IDStore.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\kmddsp.tsp95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\NlsData081a.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\ocsetapi.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\sdiagnhost.exe95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\shellstyle.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\en-US\flpydisk.inf_loc95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\merlinc.rom95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHC23N03.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\exabyte2.sys95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\dhcpcore.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAHP-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Drops file in Drivers directory
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\drivers\gmreadme.txt95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\wimmount.sys95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\gm.dls95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Drops desktop.ini
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Saved Games\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Program Files\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\Contacts\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Public\Pictures\Sample Pictures\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Web\Wallpaper\Architecture\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\Documents\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Media\Garden\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZQBF4MQS\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA8Z0IE6\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Media\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Media\Quirky\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6Y38LIXE\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Public\Recorded TV\Sample Media\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Media\Savanna\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CZUF3YTD\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\Links\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Admin\Downloads\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZQBF4MQS\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Admin\Favorites\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Public\Music\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Public\Downloads\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Public\Pictures\Sample Pictures\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Public\Music\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Public\Videos\Sample Videos\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File deletedC:\Users\Admin\Desktop\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Public\Documents\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File createdC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6Y38LIXE\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Drops startup file
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Suspicious use of WriteProcessMemory
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 616 wrote to memory of 110061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 110061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 110061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 110061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 1100 wrote to memory of 10521100cmd.exenet.exe
    PID 1100 wrote to memory of 10521100cmd.exenet.exe
    PID 1100 wrote to memory of 10521100cmd.exenet.exe
    PID 1100 wrote to memory of 10521100cmd.exenet.exe
    PID 1052 wrote to memory of 20121052net.exenet1.exe
    PID 1052 wrote to memory of 20121052net.exenet1.exe
    PID 1052 wrote to memory of 20121052net.exenet1.exe
    PID 1052 wrote to memory of 20121052net.exenet1.exe
    PID 616 wrote to memory of 116061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 116061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 116061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 116061695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 1160 wrote to memory of 3081160cmd.exenet.exe
    PID 1160 wrote to memory of 3081160cmd.exenet.exe
    PID 1160 wrote to memory of 3081160cmd.exenet.exe
    PID 1160 wrote to memory of 3081160cmd.exenet.exe
    PID 308 wrote to memory of 892308net.exenet1.exe
    PID 308 wrote to memory of 892308net.exenet1.exe
    PID 308 wrote to memory of 892308net.exenet1.exe
    PID 308 wrote to memory of 892308net.exenet1.exe
    PID 616 wrote to memory of 27661695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 27661695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 27661695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 27661695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 276 wrote to memory of 2036276cmd.exenet.exe
    PID 276 wrote to memory of 2036276cmd.exenet.exe
    PID 276 wrote to memory of 2036276cmd.exenet.exe
    PID 276 wrote to memory of 2036276cmd.exenet.exe
    PID 2036 wrote to memory of 13322036net.exenet1.exe
    PID 2036 wrote to memory of 13322036net.exenet1.exe
    PID 2036 wrote to memory of 13322036net.exenet1.exe
    PID 2036 wrote to memory of 13322036net.exenet1.exe
    PID 616 wrote to memory of 163261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 163261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 163261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 163261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 1632 wrote to memory of 14521632cmd.exenet.exe
    PID 1632 wrote to memory of 14521632cmd.exenet.exe
    PID 1632 wrote to memory of 14521632cmd.exenet.exe
    PID 1632 wrote to memory of 14521632cmd.exenet.exe
    PID 1452 wrote to memory of 18161452net.exenet1.exe
    PID 1452 wrote to memory of 18161452net.exenet1.exe
    PID 1452 wrote to memory of 18161452net.exenet1.exe
    PID 1452 wrote to memory of 18161452net.exenet1.exe
    PID 616 wrote to memory of 140461695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 140461695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 140461695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 140461695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 1404 wrote to memory of 19081404cmd.exenet.exe
    PID 1404 wrote to memory of 19081404cmd.exenet.exe
    PID 1404 wrote to memory of 19081404cmd.exenet.exe
    PID 1404 wrote to memory of 19081404cmd.exenet.exe
    PID 1908 wrote to memory of 17961908net.exenet1.exe
    PID 1908 wrote to memory of 17961908net.exenet1.exe
    PID 1908 wrote to memory of 17961908net.exenet1.exe
    PID 1908 wrote to memory of 17961908net.exenet1.exe
    PID 616 wrote to memory of 137261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 137261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 137261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
    PID 616 wrote to memory of 137261695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.execmd.exe
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Ouroboros/Zeropadypt

    Description

    Ransomware family based on open-source CryptoWire

    Tags

  • Drops file in Windows directory
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\Accessibility.ni.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_he-il_d3a012aba7980adc_comdlg32.dll.mui_ac8e62f495a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\FileMaps\$$_system32_ime_imekr8_dicts_4b36d5aba5194cae.cdf-ms95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\metadata.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-netshell_31bf3856ad364e35_6.1.7601.17514_none_33a9704224aa536e\office_32.bin95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app857.fon_e51c02f495a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-u..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_zh-cn_d19f8e0194d8706a.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\webAdmin.master95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.resx95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\servicing\Packages\Package_1_for_KB2872035~31bf3856ad364e35~amd64~~6.1.1.0.mum95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\servicing\Packages\Server-Help-Package.ClientUltimate~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_netrtx64.inf_31bf3856ad364e35_6.1.7600.16385_none_aa7bee9a02fd3a89.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2d7749943fcc6ea3\gadget.xml95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\x86_microsoft-windows-i..converter.resources_31bf3856ad364e35_8.0.7600.16385_en-us_659f28693168f6d9.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac-oledb-jvs_31bf3856ad364e35_6.1.7600.16385_none_f4451c405d22eaee\oledbjvs.inc95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d682417a74f73fad.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-installer-engine_31bf3856ad364e35_6.1.7601.17514_none_6bf52decfe850b3d.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\x86_microsoft-windows-accessibilitycpl_31bf3856ad364e35_6.1.7601.17514_none_5b652abeb21da986.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-m..ntationsettings-adm_31bf3856ad364e35_6.1.7600.16385_none_beb16d1f6f065720\MobilePCPresentationSettings.admx95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_he-il_f7a58af1e8c52611\tipresx.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_prnin003.inf_31bf3856ad364e35_6.1.7600.16385_none_11a5503ce5abb7ec\Amd64\IF60006.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga866.fon_08f9113195a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpoa820t.gpd95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\servicing\Packages\Package_for_KB4019990_RTM~31bf3856ad364e35~amd64~~6.1.1.2.mum95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\sapisvr.exe95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7600.16385_none_e52725ef75e1ac75.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-n..essprotection-agent_31bf3856ad364e35_6.1.7601.17514_none_6f12e4df3881433f.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-uianimation.resources_31bf3856ad364e35_7.1.7601.16492_en-us_26c646437cfad63b\UIAnimation.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\x86_microsoft-windows-netutils_31bf3856ad364e35_6.1.7601.17514_none_3220778aa85afd05.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\x86_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5b98d9b84461de76\msinfo32.exe.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\drvstore.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_perfhost.exe_df3332ad95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_hu-hu_71ce306e4cce182c.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Catalogs\88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..-wow64-setupdll0012_31bf3856ad364e35_6.1.7600.16385_none_4a948a3cc9a258d5.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\x86_microsoft-windows-m..codepage-translator_31bf3856ad364e35_6.1.7600.16385_none_9f1126b3087c2a1e.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.DataSetExtensions.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Http.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-ciphersuiteorder-adm_31bf3856ad364e35_6.1.7600.16385_none_5094a717453be501\CipherSuiteOrder.admx95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg_31bf3856ad364e35_6.1.7600.16385_none_6f82e5f16d1409ef_mprmsg.dll_6fff912a95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Catalogs\0912a4aa2c0469dcf1aaedcd5b3ecfd0a0da1ccb806570a23bb8d1f098333410.cat95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..aceruntimeproxystub_31bf3856ad364e35_6.1.7600.16385_none_752bb27b7805f09f.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\msil_microsoft.vsa_b03f5f7f11d50a3a_6.1.7600.16385_none_3cd6766af66d6f0e\Microsoft.Vsa.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_02354b58460a7e0e\msimsg.dll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\SampleRes.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-winocr-ocrengines_31bf3856ad364e35_6.1.7600.16385_none_ff3a08834cc21b39\danish.lng95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_usbstor.inf_31bf3856ad364e35_6.1.7601.17514_none_a6ac5425ae72a584\USBSTOR.SYS95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-fde.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ea7c6d7b127d845f.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_9679a34217f441ab.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..l-keyboard-00040409_31bf3856ad364e35_6.1.7600.16385_none_dd9109d87a461b48.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\diagnostics\system\Printer\TS_NoPrinterInstalled.ps195a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-msf_31bf3856ad364e35_6.1.7600.16385_none_04782099750e6ed7\WinSync.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft.powershell.dsc_31bf3856ad364e35_7.2.7601.16406_none_fd6b01d489239060\PSDesiredStateConfiguration.psm195a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\FileMaps\programdata_microsoft_crypto_dss_machinekeys_43de8c451bf80cb4.cdf-ms95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_810c155fd815ebfc\WinSync.rll.mui95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_osknumpadbase.xml_7f05a37a95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf3856ad364e35_6.1.7600.16385_none_77422e3e7d5fa732\msimg32.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\BRMF549C.GPD95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7cfb58904f20330.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_monitor.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aaddae437320dd38.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\amd64_microsoft-windows-dxptasks-ringtone_31bf3856ad364e35_6.1.7601.17514_none_0cb2f60328a1fa24\DXPTaskRingtone.dll95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    File opened for modificationC:\Windows\winsxs\Manifests\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_e5c0334cfcbb6f1f.manifest95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Runs net.exe
  • Drops autorun.inf file
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Tags

    TTPs

    Replication Through Removable Media

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
  • Suspicious behavior: EnumeratesProcesses
    95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe

    Reported IOCs

    pidprocess
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    61695a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
Processes 32
  • C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe
    "C:\Users\Admin\AppData\Local\Temp\95a0cdecb7f933ee8768acf2c04718c3d02c10d10e580bd85786252c1091706e.exe"
    Drops file in Program Files directory
    Drops file in System32 directory
    Drops file in Drivers directory
    Drops desktop.ini
    Drops startup file
    Suspicious use of WriteProcessMemory
    Drops file in Windows directory
    Drops autorun.inf file
    Suspicious behavior: EnumeratesProcesses
    PID:616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLWriter
      Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\net.exe
        net stop SQLWriter
        Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLWriter
          PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLBrowser
      Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\net.exe
        net stop SQLBrowser
        Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLBrowser
          PID:892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
      Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\net.exe
        net stop MSSQLSERVER
        Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSSQLSERVER
          PID:1332
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
      Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\net.exe
        net stop MSSQL$CONTOSO1
        Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSSQL$CONTOSO1
          PID:1816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\net.exe
        net stop MSDTC
        Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSDTC
          PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      PID:1372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
      PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
      PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
      PID:1252
      • C:\Windows\SysWOW64\net.exe
        net stop SQLSERVERAGENT
        PID:1392
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SQLSERVERAGENT
          PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
      PID:1812
      • C:\Windows\SysWOW64\net.exe
        net stop MSSQLSERVER
        PID:1984
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSSQLSERVER
          PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop vds
      PID:1964
      • C:\Windows\SysWOW64\net.exe
        net stop vds
        PID:1500
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop vds
          PID:2044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
      PID:1108
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        Modifies service
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
      PID:1164
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode mode=disable
        Modifies service
        PID:484
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • memory/616-0-0x0000000000AE0000-0x0000000000AF1000-memory.dmp

                      Download

                    • memory/616-1-0x0000000001340000-0x0000000001351000-memory.dmp

                      Download

                    • memory/616-2-0x0000000000AE0000-0x0000000000AF1000-memory.dmp

                      Download