xmrig | 126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

Resubmissions

25/06/2021, 20:08

210625-1ay8ymabc6 10

24/06/2021, 06:05

210624-z3rv4e1ed2 10

Analysis

max time kernel
51s
max time network
100s
platform
windows7_x64
resource
win7v20210410
submitted
24/06/2021, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Session Manager.exe
Size

1.3MB
MD5

000e2743bf3cb96cefc4be357765cec3
SHA1

62b9b6afc91e349c56ce967985eec229f7db82aa
SHA256

126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512

b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

Score

10^/10

xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	Windows Session Manager.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	Windows Session Manager.exe
File created	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\eappcfg.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\qcap.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\ADFS-WebAgentClaims-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Links-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_294.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_neutral_4261401e3170ebfb\mdmarch.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_320.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.cfg	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\INI31353.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_37_for_KB2731771~31bf3856ad364e35~amd64~~6.1.1.1.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~sr-LATN-CS~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_neutral_aed2e7a487803437\errdev.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1394E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\msimsg.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\prnnr004.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SVC131D6.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPTIP.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\ADSI-Router-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\mdmke.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNB_0310.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0340.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LAL11003.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAPI.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\nvraid.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\avmx64c.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\DWrite.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYFS820.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca003.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\mdmmot64.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\prnkm002.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wpcao.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_443_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\Ph3xIB64.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1R.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\iscsicpl.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WPDSp.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-BusinessEdition-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NOE6A.DXT	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV3201E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBPP3.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\PortableDeviceApi.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.rld	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\iasrad.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\RacEngn.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-MultiplayerInboxGames-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNBJOP8M.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOE8L.DXT	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\netprofm.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ClientNetworkProtocolImplementation-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\sxsstore.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\vdsvd.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\volume.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_neutral_8693053514b10ee9\hidclass.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Eventlog-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\appwiz.cpl	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\fdWSD.dll	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLADDR.FAE.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.DLL	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.ELM.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBENDF98.CHM	Windows Session Manager.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	Windows Session Manager.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWSTRUCT.DLL	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.[[email protected]][MJ-GB3425187069].Spyro	Windows Session Manager.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\710a5c9e16388ca7a722211f4d4867aa\System.IdentityModel.ni.dll.aux	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_faxcn002.inf_31bf3856ad364e35_6.1.7600.16385_none_a4f8cabfbd0f45e2\faxcn002.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\logo.png	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\047c9c4a6b9dcd9d1985b95e0f4f1daa\Microsoft.Office.BusinessApplications.Diagnostics.ni.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\67215fe430cb12f890a7dc19fd53aa55\Microsoft.Build.Utilities.v4.0.ni.dll.aux	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\simpfxo.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\Rules.System.NetDiagFramework.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..ctivation.resources_31bf3856ad364e35_6.1.7600.16385_en-us_581f4464e637a2c6\HELP_What_is_Activation.rtf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ansliteration-nowow_31bf3856ad364e35_6.1.7600.16385_none_b021af6864cb7d41\Hant-To-Hans.nlt	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationUp_ButtonGraphic.png	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\14.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-osk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0c89b97c90e91bc5\osk.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..les-personalization_31bf3856ad364e35_6.1.7600.16385_none_e8ad6b4cdc6dc4dc\landscapes.theme	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8209e84af0c0893f\xml.xsl	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux_31bf3856ad364e35_6.1.7600.16385_none_13b9b4b7d327a721\wmpnscfg.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsProducts.adml	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmgen.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63255207814eeb7e\mdmgen.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ore-fonts-wgl4-boot_31bf3856ad364e35_6.1.7600.16385_none_d055c2bb563e6783\wgl4_boot.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\Rules.System.Wired.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\upcjl.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_hpoa1so.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_693571c6bf1b4671\hpotiop1.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-audiodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_1c7c64ad096a7b06\MF_AudioDiagnostic.ps1	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehRecvr.exe.config	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-13.htm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ace-remoting-xactps_31bf3856ad364e35_6.1.7600.16385_none_dd065213280594c0\msxactps.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_21b432d7b46a7554\PrinterDiagnostic.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-acccursors_31bf3856ad364e35_6.1.7600.16385_none_406675269603c3b4\size1_m.cur	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\bthpan.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e02c32d4d3fade9f\termmgr.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Conversion.v4.0.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igdumd32.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-multboot.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5c8919b79afa59c\multboot.h1s	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7601.17514_none_764c15a2f476f130\RDPREFDD.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14b62006#\2c7e795fb7d690d3b8931d360e4ce7f5\System.ServiceModel.Activation.ni.dll.aux	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\arc.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcp80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_avmx64c.inf_31bf3856ad364e35_6.1.7600.16385_none_1b289ccdd9a4634d\fus2base.frm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\BrEvIF.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a102031c07b6ad1d\machine.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-deskperf_31bf3856ad364e35_6.1.7600.16385_none_209ac7a9488f9245\deskperf.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_fc00d9a9415b5f6e\NlsData0018.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.SmartTag.config	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmaiwa3.inf_31bf3856ad364e35_6.1.7600.16385_none_09c31aee77564011\mdmaiwa3.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..fcounters.resources_31bf3856ad364e35_6.1.7600.16385_en-us_80655e11f5bc9e8d\tslabels.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_1394.inf_31bf3856ad364e35_6.1.7601.17514_none_59555c0e1c877c53\ohci1394.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SqlServer.targets	Windows Session Manager.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Performance.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\MSDT.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..truetype-jasmineupc_31bf3856ad364e35_6.1.7600.16385_none_fffdf1db5de6d26d\upcjl.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.html	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-performancediagnostic_31bf3856ad364e35_6.1.7600.16385_none_bb8f9b1a5070de7e\RS_RemoveCurrentUserStartupPrograms.ps1	Windows Session Manager.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-xwizards_31bf3856ad364e35_6.1.7600.16385_none_d41cfbd75888cefd\xwizard.dtd	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Routing.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b101c5afe5ce5e39\crcdisk.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ng-shell-enterprise_31bf3856ad364e35_6.1.7600.16385_none_5607784e88698ae5\shellbrd.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-defrag-core_31bf3856ad364e35_6.1.7600.16385_none_74535a2cd1bda1d0\defragproxy.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sctasks_31bf3856ad364e35_6.1.7601.17514_none_e8657d02cbf5e4c1\schtasks.exe	Windows Session Manager.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<̏\LN̏\VX̏\`b󢌏\jl󹌏\tv𐌏\~표̏\킸̏\촔̏\쥰̏\¦¨엌̏\°²숨̏\º¼뺄̏\ÄÆ뫠̏\ÎÐ뜼̏\ØÚ뎘̏\âä꿴̏\ìî걐̏\öøꢬ̏\輀ˁꔈ̏D\ĊČꅤ̏\ĔĖ鷀̏\ĠĢ騜̏\ĪĬ陸̏\ĴĶ鋔̏\ľŀ輰̏\ňŊ讌̏\ŒŔ蟨̏\ŜŞ葄̏\ŦŨ肠̏\ŰŲ糼̏\źż祘̏\ƄƆ疴̏\輀ˁ爐̏	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<ʻ\LNʻ\VX󑊻\`b󨊻\jlힼʻ\tv퐘ʻ\~클ʻ\쳐ʻ\輀ˁ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:̏\̏\̏\¦¨̏\°²̏\º¼󢌏\ÄÆ󹌏\ÎÐ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ʻ\ʻ\ʻ\¦¨ʻ	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:̏\ ̏\¨ª̏\²´̏\¼¾󢌏\ÆÈ󹌏\ÐÒ𐌏\ÚÜ표̏\äæ킸̏\îð촔̏\øú쥰̏\ĂĄ엌̏\ČĎ숨̏\ĖĘ뺄̏\ĠĢ뫠̏\ĪĬ뜼̏\ĴĶ뎘̏\ľŀ꿴̏\ňŊ걐̏\ŒŔꢬ̏\ŜŞꔈ̏\ŦŨꅤ̏\ŰŲ鷀̏\źż騜̏\輀ˁ陸̏D\ƎƐK\Ƙƚ輰̏	Windows Session Manager.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe
2000	Windows Session Manager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1172	2000	Windows Session Manager.exe	27
PID 2000 wrote to memory of 1172	2000	Windows Session Manager.exe	27
PID 2000 wrote to memory of 1172	2000	Windows Session Manager.exe	27
PID 2000 wrote to memory of 1172	2000	Windows Session Manager.exe	27
PID 1172 wrote to memory of 1732	1172	cmd.exe	29
PID 1172 wrote to memory of 1732	1172	cmd.exe	29
PID 1172 wrote to memory of 1732	1172	cmd.exe	29
PID 1172 wrote to memory of 1732	1172	cmd.exe	29
PID 1732 wrote to memory of 1756	1732	net.exe	30
PID 1732 wrote to memory of 1756	1732	net.exe	30
PID 1732 wrote to memory of 1756	1732	net.exe	30
PID 1732 wrote to memory of 1756	1732	net.exe	30
PID 2000 wrote to memory of 1784	2000	Windows Session Manager.exe	31
PID 2000 wrote to memory of 1784	2000	Windows Session Manager.exe	31
PID 2000 wrote to memory of 1784	2000	Windows Session Manager.exe	31
PID 2000 wrote to memory of 1784	2000	Windows Session Manager.exe	31
PID 2000 wrote to memory of 1708	2000	Windows Session Manager.exe	33
PID 2000 wrote to memory of 1708	2000	Windows Session Manager.exe	33
PID 2000 wrote to memory of 1708	2000	Windows Session Manager.exe	33
PID 2000 wrote to memory of 1708	2000	Windows Session Manager.exe	33
PID 2000 wrote to memory of 904	2000	Windows Session Manager.exe	35
PID 2000 wrote to memory of 904	2000	Windows Session Manager.exe	35
PID 2000 wrote to memory of 904	2000	Windows Session Manager.exe	35
PID 2000 wrote to memory of 904	2000	Windows Session Manager.exe	35
PID 2000 wrote to memory of 1728	2000	Windows Session Manager.exe	37
PID 2000 wrote to memory of 1728	2000	Windows Session Manager.exe	37
PID 2000 wrote to memory of 1728	2000	Windows Session Manager.exe	37
PID 2000 wrote to memory of 1728	2000	Windows Session Manager.exe	37
PID 1728 wrote to memory of 556	1728	cmd.exe	39
PID 1728 wrote to memory of 556	1728	cmd.exe	39
PID 1728 wrote to memory of 556	1728	cmd.exe	39
PID 1728 wrote to memory of 556	1728	cmd.exe	39
PID 556 wrote to memory of 1092	556	net.exe	40
PID 556 wrote to memory of 1092	556	net.exe	40
PID 556 wrote to memory of 1092	556	net.exe	40
PID 556 wrote to memory of 1092	556	net.exe	40
PID 2000 wrote to memory of 484	2000	Windows Session Manager.exe	41
PID 2000 wrote to memory of 484	2000	Windows Session Manager.exe	41
PID 2000 wrote to memory of 484	2000	Windows Session Manager.exe	41
PID 2000 wrote to memory of 484	2000	Windows Session Manager.exe	41
PID 484 wrote to memory of 1920	484	cmd.exe	43
PID 484 wrote to memory of 1920	484	cmd.exe	43
PID 484 wrote to memory of 1920	484	cmd.exe	43
PID 484 wrote to memory of 1920	484	cmd.exe	43
PID 1920 wrote to memory of 1900	1920	net.exe	44
PID 1920 wrote to memory of 1900	1920	net.exe	44
PID 1920 wrote to memory of 1900	1920	net.exe	44
PID 1920 wrote to memory of 1900	1920	net.exe	44
PID 2000 wrote to memory of 396	2000	Windows Session Manager.exe	45
PID 2000 wrote to memory of 396	2000	Windows Session Manager.exe	45
PID 2000 wrote to memory of 396	2000	Windows Session Manager.exe	45
PID 2000 wrote to memory of 396	2000	Windows Session Manager.exe	45
PID 396 wrote to memory of 572	396	cmd.exe	47
PID 396 wrote to memory of 572	396	cmd.exe	47
PID 396 wrote to memory of 572	396	cmd.exe	47
PID 396 wrote to memory of 572	396	cmd.exe	47
PID 572 wrote to memory of 384	572	net.exe	48
PID 572 wrote to memory of 384	572	net.exe	48
PID 572 wrote to memory of 384	572	net.exe	48
PID 572 wrote to memory of 384	572	net.exe	48
PID 2000 wrote to memory of 1048	2000	Windows Session Manager.exe	49
PID 2000 wrote to memory of 1048	2000	Windows Session Manager.exe	49
PID 2000 wrote to memory of 1048	2000	Windows Session Manager.exe	49
PID 2000 wrote to memory of 1048	2000	Windows Session Manager.exe	49

C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:568
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-76-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download