ouroboros | 60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1

General

Target

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
Size

375KB
MD5

d5882c247d498f62deced08d118e122f
SHA1

d889058027e41165b300e2b1864e45b33d0ec142
SHA256

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1
SHA512

5c714e72e14dac9c4da2cd29cc4d73d8e62537b1bb92bae3f3ed8b8109bf80d6647e0f1c634198af96a239c2511a7bbb37d63e7dbd0b3241a1f3869b3b32b4f2

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W0Y212D0\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WBCYF2DO\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q2MEZ03C\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B7OQLK7P\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php
Drops file in System32 directory 1 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Drops file in Program Files directory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\FormatLock.MOD	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01421_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\WISC30.DLL.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\BORDERS\MSART7.BDR	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR28F.GIF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabfind.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\FLYER98.POC.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\uk.pak.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGAD.DPV	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.Email=[Honeylock@protonmail.com]ID=[M0ZUBCED65JAYPR].odveta	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Drops file in Windows directory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.resources.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Cursors\aero_busy.ani	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\index\DeviceCenterDiagnostic.xml	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\8514oemr.fon	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\browab.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDHost.resources.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net\c252762f9efbc0ad25f01a475b7d00ad\System.Net.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\Microsoft.CSharp.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ehome\MediaCenterWebLauncher.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\cour.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ehome\NetBridge.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\cga40852.fon	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\FRABK.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\LFAXDI.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\taileb.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\upclb.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Theme\ZA.theme	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Help\mui\0409\mmc.CHM	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.Intl.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\XsdBuildTask\90ef7c8e607fe9d71e83d747b02b64c0\XsdBuildTask.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Boot\PCAT\en-US\bootmgr.exe.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel.cur	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\AcXtrnal.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\462293b97f4b8f084192a7fbae47269f\System.Workflow.Runtime.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Device\64b016e546f8d38525f02e9c73c559ea\System.Device.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_LowVolume.ps1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\FTLTLT.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\GILC____.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\14.0.0.0__71e9bce111e9429c\Policy.12.0.office.config	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SrpUxSnapIn\593c2939737f10fc236c7b4de35271bc\SrpUxSnapIn.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing.Desi#\aa8854bd55fca246dd3226a671092bfa\System.Drawing.Design.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\FREESCPT.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\GOUDOSB.TTF	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\mriam.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\mcstoredb\c359669d601990310a6b30ab5992ffa8\mcstoredb.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\CL_Detection.ps1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\US-1.url	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\5e166029e28675fbb6e2fc59ac6fa167\System.Windows.Presentation.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\3b0716755fe4e8ba470d7efdc72647d7\Microsoft.VisualBasic.Compatibility.ni.dll.aux	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Cursors\arrow_im.cur	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_AudioDeviceDriver.ps1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\ehome\wow\ehuihlp.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp6.jpg	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap\6.1.0.0__31bf3856ad364e35\NAPSNAP.DLL	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\b90f40ba78ef47ed0a9a563e242f6322\System.Runtime.Remoting.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\Device\DiagPackage.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\segoescb.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Fonts\upcki.ttf	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Theme\GB.theme	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\Mcx2Dvcs.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9a3ab1594cf5cd52f0794b0a93a14b57\System.Web.Entity.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IdentityModel\9b1d7533105a793af14b7b51cd5443af\System.IdentityModel.ni.dll	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\Boot\EFI\zh-TW\bootmgfw.efi.mui	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_DisabledInCPL.ps1	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

NTFS ADS 1 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

description	ioc	process
File opened for modification	C:\ProgramData\Templates\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\vcRu\vc_r\󓌼ඬ\êȈ훴̼\틔̼䰮\쪜̼ﵢ\ÖȈ욄̼\쇸̼순̼\೪\ܙ\ݐ\耀疸\qE癘\:\Ȁ\Ȁ\	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

pid	process
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1108 wrote to memory of 1508	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1508	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1508	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1508	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1508 wrote to memory of 1376	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1376	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1376	1508	cmd.exe	net.exe
PID 1508 wrote to memory of 1376	1508	cmd.exe	net.exe
PID 1376 wrote to memory of 1796	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1796	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1796	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1796	1376	net.exe	net1.exe
PID 1108 wrote to memory of 1804	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1804	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1804	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1804	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1804 wrote to memory of 1848	1804	cmd.exe	net.exe
PID 1804 wrote to memory of 1848	1804	cmd.exe	net.exe
PID 1804 wrote to memory of 1848	1804	cmd.exe	net.exe
PID 1804 wrote to memory of 1848	1804	cmd.exe	net.exe
PID 1848 wrote to memory of 1844	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1844	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1844	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1844	1848	net.exe	net1.exe
PID 1108 wrote to memory of 1776	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1776	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1776	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1776	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1776 wrote to memory of 1764	1776	cmd.exe	net.exe
PID 1776 wrote to memory of 1764	1776	cmd.exe	net.exe
PID 1776 wrote to memory of 1764	1776	cmd.exe	net.exe
PID 1776 wrote to memory of 1764	1776	cmd.exe	net.exe
PID 1764 wrote to memory of 524	1764	net.exe	net1.exe
PID 1764 wrote to memory of 524	1764	net.exe	net1.exe
PID 1764 wrote to memory of 524	1764	net.exe	net1.exe
PID 1764 wrote to memory of 524	1764	net.exe	net1.exe
PID 1108 wrote to memory of 472	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 472	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 472	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 472	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 472 wrote to memory of 892	472	cmd.exe	net.exe
PID 472 wrote to memory of 892	472	cmd.exe	net.exe
PID 472 wrote to memory of 892	472	cmd.exe	net.exe
PID 472 wrote to memory of 892	472	cmd.exe	net.exe
PID 892 wrote to memory of 1348	892	net.exe	net1.exe
PID 892 wrote to memory of 1348	892	net.exe	net1.exe
PID 892 wrote to memory of 1348	892	net.exe	net1.exe
PID 892 wrote to memory of 1348	892	net.exe	net1.exe
PID 1108 wrote to memory of 568	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 568	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 568	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 568	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 568 wrote to memory of 644	568	cmd.exe	net.exe
PID 568 wrote to memory of 644	568	cmd.exe	net.exe
PID 568 wrote to memory of 644	568	cmd.exe	net.exe
PID 568 wrote to memory of 644	568	cmd.exe	net.exe
PID 644 wrote to memory of 1800	644	net.exe	net1.exe
PID 644 wrote to memory of 1800	644	net.exe	net1.exe
PID 644 wrote to memory of 1800	644	net.exe	net1.exe
PID 644 wrote to memory of 1800	644	net.exe	net1.exe
PID 1108 wrote to memory of 1628	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1628	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1628	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe
PID 1108 wrote to memory of 1628	1108	60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe
"C:\Users\Admin\AppData\Local\Temp\60d53d840285d033deb6ccf011665b612721a5d99a2d132d3a8adcf99fbf0fc1.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
PID:608

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
PID:1876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:1160

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:1344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
PID:1032

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
PID:1224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
PID:1364

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
PID:1408

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-26-0x0000000000000000-mapping.dmp

Download
memory/472-9-0x0000000000000000-mapping.dmp

Download
memory/524-8-0x0000000000000000-mapping.dmp

Download
memory/568-12-0x0000000000000000-mapping.dmp

Download
memory/588-20-0x0000000000000000-mapping.dmp

Download
memory/608-18-0x0000000000000000-mapping.dmp

Download
memory/644-13-0x0000000000000000-mapping.dmp

Download
memory/892-10-0x0000000000000000-mapping.dmp

Download
memory/960-23-0x0000000000000000-mapping.dmp

Download
memory/1032-24-0x0000000000000000-mapping.dmp

Download
memory/1108-33-0x0000000001290000-0x00000000012A1000-memory.dmp

Filesize
68KB

Download
memory/1108-32-0x00000000016A0000-0x00000000016B1000-memory.dmp

Filesize
68KB

Download
memory/1108-31-0x0000000001290000-0x00000000012A1000-memory.dmp

Filesize
68KB

Download
memory/1144-28-0x0000000000000000-mapping.dmp

Download
memory/1160-21-0x0000000000000000-mapping.dmp

Download
memory/1224-25-0x0000000000000000-mapping.dmp

Download
memory/1344-22-0x0000000000000000-mapping.dmp

Download
memory/1348-11-0x0000000000000000-mapping.dmp

Download
memory/1364-27-0x0000000000000000-mapping.dmp

Download
memory/1376-1-0x0000000000000000-mapping.dmp

Download
memory/1408-29-0x0000000000000000-mapping.dmp

Download
memory/1508-0-0x0000000000000000-mapping.dmp

Download
memory/1628-15-0x0000000000000000-mapping.dmp

Download
memory/1764-7-0x0000000000000000-mapping.dmp

Download
memory/1776-6-0x0000000000000000-mapping.dmp

Download
memory/1796-2-0x0000000000000000-mapping.dmp

Download
memory/1800-14-0x0000000000000000-mapping.dmp

Download
memory/1804-3-0x0000000000000000-mapping.dmp

Download
memory/1844-30-0x0000000000000000-mapping.dmp

Download
memory/1844-5-0x0000000000000000-mapping.dmp

Download
memory/1848-4-0x0000000000000000-mapping.dmp

Download
memory/1876-19-0x0000000000000000-mapping.dmp

Download
memory/1908-16-0x0000000000000000-mapping.dmp

Download
memory/1960-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads