126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

Resubmissions

25/06/2021, 20:08

210625-1ay8ymabc6 10

24/06/2021, 06:05

210624-z3rv4e1ed2 10

Analysis

max time kernel
360s
max time network
450s
platform
windows10_x64
resource
win10v20210410
submitted
25/06/2021, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Session Manager.exe
Size

1.3MB
MD5

000e2743bf3cb96cefc4be357765cec3
SHA1

62b9b6afc91e349c56ce967985eec229f7db82aa
SHA256

126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512

b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

Score

8^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\en-US	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\UMDF	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StartUninstall.tiff	Windows Session Manager.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Contacts\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.15063.0_none_5211b42e358da2ca\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Public\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.15063.0_none_2826556bee58508f\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Public\Downloads\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.15063.0_none_a6313709f56227d4\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.15063.0_none_7c2bbc3db7cbacf0\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.15063.0_none_5fa2753162f86404\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.15063.0_none_8a2a70806d4ff602\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-mail-app_31bf3856ad364e35_10.0.15063.0_none_a64d6b3dd0267b2d\Desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.15063.0_none_7458533b418bb9c3\Desktop.ini	Windows Session Manager.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mail-app_31bf3856ad364e35_10.0.15063.0_none_026c06c18883ec63\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Windows Session Manager.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Windows Session Manager.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa003.inf_amd64_a30880819970ec59\amd64\SAK2200.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\comctl32.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml	Windows Session Manager.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_4f848c1194c4d468	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitch.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Windows.UI.CredDialogController.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Group-drivers-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SmbDirect-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnms008.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhpcl3.inf_amd64_0e666fb8f1b0545e\amd64\hppcl6_MA_HWCP-manifest.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\msprivs.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winmde.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\hnetcfg.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Lights.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Client-Features-Classic-shellcommon-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfhb0.dpb	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX410	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WPF-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\depclrc.gpd	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Foundation-minio-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\remoteposdrv.inf_amd64_1c33e17d642417bb\remoteposdrv.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\pl-PL\windows.ui.xaml.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\mmres.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\winmde.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-QoS-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psm1	Windows Session Manager.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_07ee1bb78d96a8d3\Amd64	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hidi2c.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_8bc636137e0a7c8d\wiaky002.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msdrm.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterQos.Format.Helper.psm1	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\lz32.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_38dd9d28dc203938\sbp2.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\iasads.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\rspndr.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\prndlcl1.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Com\comempty.dat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ws3cap.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\NETJME.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_PipelineConfig.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa003.inf_amd64_a30880819970ec59\amd64\SA4623.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\HelpPaneProxy.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Sensors-DriverClasses-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\RestartManagerUninstall.mfl	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa003.inf_amd64_a30880819970ec59\amd64\SA8540.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_495dad3cbfbbe7a5\xusb22.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AuthHost.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_fsantivirus.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_nettrans.inf_amd64_ffd65b4c2eac1604\c_nettrans.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvdimmn.inf_amd64_65bd82fbc8bd058d\nvdimmn.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nehb1.gpd	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mapistub.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\NetSetupApi.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CoreSystem-minkernel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_61883.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WEB.rs.mui	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossText.scale-140.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\TrafficWide.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\plugin.js.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-white.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-200.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adobe_spinner.gif.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\Images	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	Windows Session Manager.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\chess.3mf	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected].[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_leaves.jpg	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-400.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kg_60x42.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Video\ReliveVideoControl.xaml	Windows Session Manager.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Resources	Windows Session Manager.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	Windows Session Manager.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bn_16x11.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xk_60x42.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main-selector.css.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.scale-200.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Windows Session Manager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-400.png	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.[[email protected]][MJ-FO5138926074].Spyro	Windows Session Manager.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..l-keyboard-00020409_31bf3856ad364e35_10.0.15063.0_none_4c736958b4419397.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft-windows-imagesp1_31bf3856ad364e35_10.0.15063.0_none_995d33f2731d65b5.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0001041b_31bf3856ad364e35_10.0.15063.0_none_bb83b4e5b600499e\KBDSL1.DLL	Windows Session Manager.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub	Windows Session Manager.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\en-US\DiagPackage.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Assets\Icons\custom-Miantuan\contrast-black\AppListIcon.targetsize-16.png	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz_31bf3856ad364e35_10.0.15063.0_none_5c6d37d5ee548def\netplwiz.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnepcl2.inf_31bf3856ad364e35_10.0.15063.0_none_6caa5d7a89310dc5\EP0NXS7-manifest.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ye_16x11.png	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_10.0.15063.0_none_d7e8758ec8ae4b08\_ServiceModelEndpointPerfCounters.reg	Windows Session Manager.exe
File created	C:\Windows\WinSxS\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-classicsearchdata_31bf3856ad364e35_10.0.15063.0_none_2bf46985bc0de379\Classic_{B0B4886C-4B31-4824-ADCD-0DAF5C8BAFF6}.settingcontent-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..stack-termsrv-extra_31bf3856ad364e35_10.0.15063.0_none_23e4abb878822aa3\appserverai.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0809_f24be9041cd5e95f.cdf-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-100.png	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.15063.0_none_0d07ce77359b6878\Square150x150Logo.scale-100.png	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_mdmairte.inf-languagepack_31bf3856ad364e35_10.0.15063.0_en-us_7004d752cff0c4eb.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.15063.0_en-us_b631989436362503.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx4-system.io.compression.resources_b03f5f7f11d50a3a_4.0.14917.0_en-us_16f0f912d0323e12.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\10.rsrc	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_capimg.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_bc224e492bc0e38a\capimg.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..tup-tool-powershell_31bf3856ad364e35_10.0.15063.0_none_5731ac8ce00e403f\BitLocker.Format.ps1xml	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms	Windows Session Manager.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.15063.0_none_149aa50c07625ad6	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-125.png	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mmsys_31bf3856ad364e35_10.0.15063.0_none_6f83a37a17f9d635\mmsys.cpl	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx4-smsvchost_b03f5f7f11d50a3a_4.0.14917.0_none_b1152862529fe87c.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.14917.0_none_13608ff6cc6f454f.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-mof.resources_31bf3856ad364e35_10.0.15063.0_en-us_7e4096a9f8ba0f89\cimwin32.mfl	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-groupedproviders_xml_b03f5f7f11d50a3a_4.0.14917.0_none_2cb56acb868be1e2\GroupedProviders.xml	Windows Session Manager.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registryidle-agent_31bf3856ad364e35_10.0.15063.0_none_3081150821ab72c3	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_10.0.15063.0_en-us_b37f3dfb15ffc1db.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft-windows-wsp-spaces.resources_31bf3856ad364e35_10.0.15063.0_en-us_4fc235329dce9389.manifest	Windows Session Manager.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.15063.0_none_556c8fbf8012d1cb	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-host-network-service_31bf3856ad364e35_10.0.15063.0_none_0bf84ea598f8723b\OverlayHNSPlugin.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..ndows-media-editing_31bf3856ad364e35_10.0.15063.0_none_918b27bad1bf82c2\Windows.Media.Editing.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec..hared12_neutral_ini_b03f5f7f11d50a3a_4.0.15552.17062_none_a7655b3549da2eb4\_DataOracleClientPerfCounters_shared12_neutral_d.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service_31bf3856ad364e35_10.0.15063.0_none_99bb3ce8a6195e97.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_10.0.15063.0_none_8daa343469946ff7.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-n..mplatform.resources_31bf3856ad364e35_10.0.15063.0_en-us_b81c19914e7971e0.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft.certifica..ient.cmdlets.native_31bf3856ad364e35_10.0.15063.0_none_1df66911d6817bf0.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-m..mdac-odbc-jet-exl32_31bf3856ad364e35_10.0.15063.0_none_4b26f57df72f0a94\odexl32.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\TaskScheduler.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Guest-Networking-Synthetic-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..mplus.res.resources_31bf3856ad364e35_10.0.15063.0_en-us_b4305ce37adf0aec\comres.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.15063.0_none_b7da3ace3bd01843.manifest	Windows Session Manager.exe
File created	C:\Windows\Vss	Windows Session Manager.exe
File created	C:\Windows\WinSxS\msil_microsoft.virtualization.client.wizards_31bf3856ad364e35_10.0.15063.0_none_31c23b0f6b16dfbc	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_tr-tr_a6971299ef4b5f1f.cdf-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx4-nlslexicons0009_b03f5f7f11d50a3a_4.0.14917.0_none_bc6447df271e12e9.manifest	Windows Session Manager.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\9fabb333bf98ca4c9b419e74e3dc76d4d7983dde2f9397becfb9663ab0f4fbc6.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobe-button-template.html	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_dac9a1eac5147560b67ae2f162fd5f2d_b03f5f7f11d50a3a_4.0.15552.17062_none_d650d57035b6f2ba.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..dp-configextensions_31bf3856ad364e35_10.0.15063.0_none_8ade340101440548.manifest	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_microsoft.hyperv.powershell.cmdlets_31bf3856ad364e35_10.0.15063.0_none_62a92a79c78648fb.manifest	Windows Session Manager.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceflows-datamodel_31bf3856ad364e35_10.0.15063.0_none_227b0e7cdbaa893d	Windows Session Manager.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oreevents.resources_31bf3856ad364e35_10.0.15063.0_en-us_9ca20420e6b4fe27	Windows Session Manager.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\Classic_{083D5202-600A-4f38-981B-2D138FBDC4D1}.settingcontent-ms	Windows Session Manager.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	Windows Session Manager.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Dark_Scale-150.png	Windows Session Manager.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_secureboot_150f0cc835cc8893.cdf-ms	Windows Session Manager.exe

NTFS ADS 14 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\zh-TW\8:戨Ġt.ex	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\:<Ŭoft\RTŬŬ	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Videos\:<Ŭoft\NP鵐ŬŬ	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Desktop\Setup\鑀Ġ6BA8\>@Ġ:\ꪰĠЀ\`bṨƕĠX\ᲈƕ򦄠򠄠𔄠\\|~㳈ƕ򽄠t\Ő휐Ġ훸Ġ퓈Ġ\ ǖ퍬Ġ\䂐ɱ쿈Ġ쾰Ġ춀Ġ\ÀÂ㲸̦찤Ġ¸\锠̤좀Ġ졨Ġ옸Ġ\âä䩀̷쓜ĠÚ\񺇹세Ġ선Ġ뻰Ġ\ĄĆ湰붔Ġü\㨈맰Ġ맘Ġ램Ġ\ĦĨ毈뙌ĠĞ\돈ƙ늨Ġ느Ġ끠Ġ\ňŊ庰Ǒ꼄Ġŀ\躸ꭠĠꭈĠꤘĠ\ŪŬ䔈ƖꞼĠŢ\ꗀꐘĠꐀĠꇐĠ\ȁ\豈鳐Ġ鲸Ġ骈Ġ\ƢƤ꨸ǣ餬ĠƦ\閈Ġ镰Ġ鍀Ġ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:戨Ŭt.ex	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Desktop\Setup\樈Ř6BA8\歰Ř:\聐ŘF\莐ŘX\洠Řd\쿰Řp\唨񡅘\|\偨񹅘\ⳠƖ현Ř\䰘퉤Ř \컄Ř¬\쬤Ř¸\磐임ŘÄ\ꥀ쏤ŘÐ\즨ƙ쁄ŘÜ\쮘ƙ벤Řè\㕀뤄Řô\媀땤ŘĀ\Ꚉ뇄ŘČ\	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<麨ŬA86-	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<恸ĠA86-	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<麨ńA86-	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Music\:<徠Ġoft\쳈ĠĠĠ\`b쨰ĠT\佘򦄠Ȁ\򽄠z\휐Ġ훸Ġ퓈Ġ\	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Videos\:<徠Ġoft\쯀ĠĠĠ\bd쬠ĠV\䬘򦄠򠄠𔄠\򽄠\|\௰Ɩ휐Ġ훸Ġ퓈Ġ\¦¨᜸Ɩ퍬Ġ\鏀쿈Ġ쾰Ġ춀Ġ\	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:斈ńt.ex	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Music\:<Ŭoft\LN󾂛ŬŬ	Windows Session Manager.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\:<徠Ġoft\ĠĠĠ\fh졐ĠZ\仐򦄠򠄠𔄠\򽄠\ҸƖ휐Ġ훸Ġ퓈Ġ\ª¬ჀƖ퍬Ġ¢\髈쿈Ġ쾰Ġ춀Ġ\ÌÎ羐찤ĠÄ\ꔠ좀Ġ졨Ġ옸Ġ\îð怀쓜Ġæ\骀ǣ세Ġ선Ġ뻰Ġ\ĐĒ橐붔ĠĈ\맰Ġ맘Ġ램Ġ\ĲĴ쉰뙌ĠĪ\浈늨Ġ느Ġ끠Ġ\ŔŖࢰ꼄ĠŌ\攈ƕꭠĠꭈĠꤘĠ\ŶŸƤꞼĠŮ	Windows Session Manager.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe
3968	Windows Session Manager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1308	3968	Windows Session Manager.exe	75
PID 3968 wrote to memory of 1308	3968	Windows Session Manager.exe	75
PID 3968 wrote to memory of 1308	3968	Windows Session Manager.exe	75
PID 1308 wrote to memory of 2348	1308	cmd.exe	78
PID 1308 wrote to memory of 2348	1308	cmd.exe	78
PID 1308 wrote to memory of 2348	1308	cmd.exe	78
PID 2348 wrote to memory of 2544	2348	net.exe	79
PID 2348 wrote to memory of 2544	2348	net.exe	79
PID 2348 wrote to memory of 2544	2348	net.exe	79
PID 3968 wrote to memory of 3448	3968	Windows Session Manager.exe	80
PID 3968 wrote to memory of 3448	3968	Windows Session Manager.exe	80
PID 3968 wrote to memory of 3448	3968	Windows Session Manager.exe	80
PID 3968 wrote to memory of 2684	3968	Windows Session Manager.exe	83
PID 3968 wrote to memory of 2684	3968	Windows Session Manager.exe	83
PID 3968 wrote to memory of 2684	3968	Windows Session Manager.exe	83
PID 3968 wrote to memory of 204	3968	Windows Session Manager.exe	85
PID 3968 wrote to memory of 204	3968	Windows Session Manager.exe	85
PID 3968 wrote to memory of 204	3968	Windows Session Manager.exe	85
PID 3968 wrote to memory of 3836	3968	Windows Session Manager.exe	87
PID 3968 wrote to memory of 3836	3968	Windows Session Manager.exe	87
PID 3968 wrote to memory of 3836	3968	Windows Session Manager.exe	87
PID 3836 wrote to memory of 1364	3836	cmd.exe	89
PID 3836 wrote to memory of 1364	3836	cmd.exe	89
PID 3836 wrote to memory of 1364	3836	cmd.exe	89
PID 1364 wrote to memory of 3864	1364	net.exe	90
PID 1364 wrote to memory of 3864	1364	net.exe	90
PID 1364 wrote to memory of 3864	1364	net.exe	90
PID 3968 wrote to memory of 2884	3968	Windows Session Manager.exe	91
PID 3968 wrote to memory of 2884	3968	Windows Session Manager.exe	91
PID 3968 wrote to memory of 2884	3968	Windows Session Manager.exe	91
PID 2884 wrote to memory of 1416	2884	cmd.exe	93
PID 2884 wrote to memory of 1416	2884	cmd.exe	93
PID 2884 wrote to memory of 1416	2884	cmd.exe	93
PID 1416 wrote to memory of 3564	1416	net.exe	94
PID 1416 wrote to memory of 3564	1416	net.exe	94
PID 1416 wrote to memory of 3564	1416	net.exe	94
PID 3968 wrote to memory of 3496	3968	Windows Session Manager.exe	95
PID 3968 wrote to memory of 3496	3968	Windows Session Manager.exe	95
PID 3968 wrote to memory of 3496	3968	Windows Session Manager.exe	95
PID 3496 wrote to memory of 3880	3496	cmd.exe	97
PID 3496 wrote to memory of 3880	3496	cmd.exe	97
PID 3496 wrote to memory of 3880	3496	cmd.exe	97
PID 3880 wrote to memory of 3912	3880	net.exe	98
PID 3880 wrote to memory of 3912	3880	net.exe	98
PID 3880 wrote to memory of 3912	3880	net.exe	98
PID 3968 wrote to memory of 2156	3968	Windows Session Manager.exe	99
PID 3968 wrote to memory of 2156	3968	Windows Session Manager.exe	99
PID 3968 wrote to memory of 2156	3968	Windows Session Manager.exe	99
PID 2156 wrote to memory of 1892	2156	cmd.exe	101
PID 2156 wrote to memory of 1892	2156	cmd.exe	101
PID 2156 wrote to memory of 1892	2156	cmd.exe	101
PID 3968 wrote to memory of 2544	3968	Windows Session Manager.exe	102
PID 3968 wrote to memory of 2544	3968	Windows Session Manager.exe	102
PID 3968 wrote to memory of 2544	3968	Windows Session Manager.exe	102
PID 2544 wrote to memory of 1608	2544	cmd.exe	104
PID 2544 wrote to memory of 1608	2544	cmd.exe	104
PID 2544 wrote to memory of 1608	2544	cmd.exe	104
PID 3968 wrote to memory of 2516	3968	Windows Session Manager.exe	105
PID 3968 wrote to memory of 2516	3968	Windows Session Manager.exe	105
PID 3968 wrote to memory of 2516	3968	Windows Session Manager.exe	105
PID 2516 wrote to memory of 3552	2516	cmd.exe	107
PID 2516 wrote to memory of 3552	2516	cmd.exe	107
PID 2516 wrote to memory of 3552	2516	cmd.exe	107
PID 3552 wrote to memory of 3428	3552	net.exe	108

C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads