ouroboros | 39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913

Analysis

max time kernel
56s
max time network
62s
platform
windows10_x64
resource
win10
submitted
17-09-2020 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
Size

986KB
MD5

f792655e03042e9ca4cb8c89e4103c8a
SHA1

4ae946b8712114fca1bbf6dd392eb26a8c874586
SHA256

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913
SHA512

92ab9d00decc68126274425ae261441bd62eebd036c6c60a7c6cd860f0a8b1e6786c80042763f8dabb2db831152f322be58a067a6b8f21f95f953ffa8ec010b5

Score

10^/10

ouroboros evasion ransomware spyware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MoveSearch.tiff	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops startup file 1 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\SystemData\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Media\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\SystemData\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 5 http://www.sfml-dev.org/ip-provider.php
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Drops file in System32 directory 1 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	flow	ioc
HTTP URL	5	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops file in Program Files directory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\CardBack3.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-150.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\FlatPaperDetail.dds	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Classic.jpg	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\rename.svg	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\7-Zip\7-zip.chm.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\time.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cf_60x42.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-white.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Golden_Pharaoh_.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.scale-125.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\ui-strings.js	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2475_40x40x32.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-48_altform-unplated_contrast-white.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\ui-strings.js	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.Email=[[email protected]]ID=[31WUGVF6MKJSED4].odveta	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.scale-125.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\13c.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Input.Ink.Analysis.winmd	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.BackgroundAudioTask.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\nunit_schema_2.5.xsd	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_20x20x32.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Drops file in Windows directory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Windows\INF\prnkmcl2.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Icon_Printer.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\MedTile.scale-125.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\mso98imm.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\en-US\helppane.exe.mui	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\INF\displayoverride.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.surprise.scale-200.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tt_60x42.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-64_altform-unplated.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\skin_en-US_female_TTS.lua	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\vn_60x42.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-colorize.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-400.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Start_MoreTilesEnabled.settingcontent-ms	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\171.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxManifest.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\Strike.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\IME\IMETC\DICTS\PINTLGT.IMD	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sa_60x42.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\INF\ipoib6x.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim1.surprise.scale-150.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Paint_Logo_with_Trademark_ABOUT_POPUP.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\um_16x11.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-400.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-24.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\INF\netirda.inf	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Group.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-black.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-100.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\HoloShell\appxmanifest.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-24.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-GB\toc.xml	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d2.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\9fee6a7d0ce8c6247a4e902a6e6ca2e6\System.Runtime.WindowsRuntime.UI.Xaml.ni.dll.aux	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_24x24x32.png	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

NTFS ADS 5 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:䖀īʩt.ex	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:틠īɷt.ex	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<⻘ĬɷA86-	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<⹈ĬʩA86-	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
File opened for modification	C:\Users\Default\Documents\My Music\:<쵘įɷoft\쁸Įɷ\`b聸ķɷtes\胰ķɷrams\~꺐ķ򕉷s Po\㉀ĸ򎉷ows \¦¨ⶰĭ헜ɷ\異ķ퇀ɷê\ÈÊ腨ĸ춤ɷØ\鮀ĸ즈ɷ\äæ愀ĸ앬ɷȀ\帘ĸ셐ɷ촐Ī\þĀ䝘į봴ɷĦ\䢸ĳ뤘ɷĶ\ĜĞᔰī듼ɷ\記Ĳ냠ɷ\ĸĺĬ계ɷ\㺀ĳꢨɷ\ŐŒ㑘īꒌɷက\〠īꁰɷ\ŪŬȁ\레ķ頸ɷȁ\żž레ķ鐜ɷ\휰Ĳ退ɷ\Ƙƚﺰī诤ɷ\ᭈĭ蟈ɷ\ưƲ勠Ĵ莬ɷ\寈Ĵ羐ɷ︨疥ǀ\䝟盵ȁ\凰ĭ䝟盵疥Ǡ\䝟盵疥ǰ	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

pid	process
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3564 wrote to memory of 404	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 404	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 404	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 404 wrote to memory of 3404	404	cmd.exe	net.exe
PID 404 wrote to memory of 3404	404	cmd.exe	net.exe
PID 404 wrote to memory of 3404	404	cmd.exe	net.exe
PID 3404 wrote to memory of 636	3404	net.exe	net1.exe
PID 3404 wrote to memory of 636	3404	net.exe	net1.exe
PID 3404 wrote to memory of 636	3404	net.exe	net1.exe
PID 3564 wrote to memory of 900	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 900	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 900	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 900 wrote to memory of 1096	900	cmd.exe	net.exe
PID 900 wrote to memory of 1096	900	cmd.exe	net.exe
PID 900 wrote to memory of 1096	900	cmd.exe	net.exe
PID 1096 wrote to memory of 1220	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1220	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1220	1096	net.exe	net1.exe
PID 3564 wrote to memory of 1296	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 1296	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 1296	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 1296 wrote to memory of 1812	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1812	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1812	1296	cmd.exe	net.exe
PID 1812 wrote to memory of 1716	1812	net.exe	net1.exe
PID 1812 wrote to memory of 1716	1812	net.exe	net1.exe
PID 1812 wrote to memory of 1716	1812	net.exe	net1.exe
PID 3564 wrote to memory of 2124	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 2124	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 2124	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 2124 wrote to memory of 2468	2124	cmd.exe	net.exe
PID 2124 wrote to memory of 2468	2124	cmd.exe	net.exe
PID 2124 wrote to memory of 2468	2124	cmd.exe	net.exe
PID 2468 wrote to memory of 2696	2468	net.exe	net1.exe
PID 2468 wrote to memory of 2696	2468	net.exe	net1.exe
PID 2468 wrote to memory of 2696	2468	net.exe	net1.exe
PID 3564 wrote to memory of 2828	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 2828	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 2828	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 2828 wrote to memory of 1300	2828	cmd.exe	net.exe
PID 2828 wrote to memory of 1300	2828	cmd.exe	net.exe
PID 2828 wrote to memory of 1300	2828	cmd.exe	net.exe
PID 1300 wrote to memory of 3204	1300	net.exe	net1.exe
PID 1300 wrote to memory of 3204	1300	net.exe	net1.exe
PID 1300 wrote to memory of 3204	1300	net.exe	net1.exe
PID 3564 wrote to memory of 3824	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 3824	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 3824	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 1076	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 1076	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 1076	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 3680	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 3680	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 3680	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 352	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 352	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 3564 wrote to memory of 352	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe
PID 352 wrote to memory of 848	352	cmd.exe	net.exe
PID 352 wrote to memory of 848	352	cmd.exe	net.exe
PID 352 wrote to memory of 848	352	cmd.exe	net.exe
PID 848 wrote to memory of 1000	848	net.exe	net1.exe
PID 848 wrote to memory of 1000	848	net.exe	net1.exe
PID 848 wrote to memory of 1000	848	net.exe	net1.exe
PID 3564 wrote to memory of 1232	3564	39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe
"C:\Users\Admin\AppData\Local\Temp\39d27dfe389db6efd0539f07a74207f90c797580574db07b9606af68a2553913.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-18-0x0000000000000000-mapping.dmp

Download
memory/404-0-0x0000000000000000-mapping.dmp

Download
memory/636-2-0x0000000000000000-mapping.dmp

Download
memory/848-19-0x0000000000000000-mapping.dmp

Download
memory/900-3-0x0000000000000000-mapping.dmp

Download
memory/1000-20-0x0000000000000000-mapping.dmp

Download
memory/1032-22-0x0000000000000000-mapping.dmp

Download
memory/1076-16-0x0000000000000000-mapping.dmp

Download
memory/1096-4-0x0000000000000000-mapping.dmp

Download
memory/1220-5-0x0000000000000000-mapping.dmp

Download
memory/1232-21-0x0000000000000000-mapping.dmp

Download
memory/1296-6-0x0000000000000000-mapping.dmp

Download
memory/1300-13-0x0000000000000000-mapping.dmp

Download
memory/1376-25-0x0000000000000000-mapping.dmp

Download
memory/1456-23-0x0000000000000000-mapping.dmp

Download
memory/1716-8-0x0000000000000000-mapping.dmp

Download
memory/1812-7-0x0000000000000000-mapping.dmp

Download
memory/1856-24-0x0000000000000000-mapping.dmp

Download
memory/2124-9-0x0000000000000000-mapping.dmp

Download
memory/2468-10-0x0000000000000000-mapping.dmp

Download
memory/2656-27-0x0000000000000000-mapping.dmp

Download
memory/2696-11-0x0000000000000000-mapping.dmp

Download
memory/2712-26-0x0000000000000000-mapping.dmp

Download
memory/2828-12-0x0000000000000000-mapping.dmp

Download
memory/3204-14-0x0000000000000000-mapping.dmp

Download
memory/3380-28-0x0000000000000000-mapping.dmp

Download
memory/3404-1-0x0000000000000000-mapping.dmp

Download
memory/3564-35-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/3564-31-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/3564-32-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3564-33-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/3564-36-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3564-37-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/3564-38-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3676-29-0x0000000000000000-mapping.dmp

Download
memory/3680-17-0x0000000000000000-mapping.dmp

Download
memory/3720-30-0x0000000000000000-mapping.dmp

Download
memory/3824-15-0x0000000000000000-mapping.dmp

Download