ouroboros | c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

Analysis

max time kernel
50s
max time network
120s
platform
windows7_x64
resource
win7v20210410
submitted
25-06-2021 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SvHost-3.exe
Size

1.3MB
MD5

6d0cefa5b7f1744aa5dbc041c50b1709
SHA1

023fe5cafe7f0b32bfaf1b3549785e4d36a13b63
SHA256

c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019
SHA512

fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Score

10^/10

ouroboros xmrig evasion miner ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	Windows Session Manager.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	Windows Session Manager.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	SvHost-3.exe
1048	SvHost-3.exe
1048	SvHost-3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	Windows Session Manager.exe
File created	C:\Program Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Program Files\desktop.ini	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	Windows Session Manager.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot2\edb00471.log	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wdma_usb.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\LogFiles\SQM\SQMLogger.etl.007	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\httpapi.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Indexing-Service-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsi03f.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\prnrc003.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\intelppm.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winver.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\msrd3x40.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnrc004.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\prnbr00a.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NGPAB.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingProxy.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-MiniLP~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_9_for_KB2639308~31bf3856ad364e35~amd64~~6.1.1.0.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7400t.xml	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR4500.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\dhcpcsvc.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NOA9F.DXT	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYCS3232.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\LME322.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00d.inf_amd64_neutral_ce7a0b4e23e432ad\Amd64\LXX654DE.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA6240.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\encdec.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\bitsprx5.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~zh-CN~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1DR.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\VSTBS26.SYS	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GED71353.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1393E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\wiabr00a.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons0049.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpo63001.icc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1342E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNFRAK.ICC	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\averhbh826_noaverir_x64.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_neutral_6184912bd8e5b438\mdmsun1.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_neutral_c2d2c213c3138487\memory.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.gpd	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.vdf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYTAS500.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN2193E3.PPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\house_32.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\usbcir.inf_loc	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\elmsmc.sys	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\mdmcxpv6.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7X00T.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\PresentationHost.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\takeown.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\en-US\uxtheme.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\Setup\pbkmigr.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\NlsData004a.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\QSVRMGMT.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl05f.bin	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NRC60006.GPD	Windows Session Manager.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\DNS-Server-Service-DL.man	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00g.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2500t.xml	Windows Session Manager.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcf.dll	Windows Session Manager.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\bin\management.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101980.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.ICO.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MSOSVINT.DLL.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.DLL.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_de.dll.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll	Windows Session Manager.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00438_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00253_.WMF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107458.WMF	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF	Windows Session Manager.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.[[email protected]][6B40842B].Spyro	Windows Session Manager.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ssef874.fon	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\brmfcmf.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\mdmomrn3.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\prnlx003.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b\sserifer.fon	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..emsupport.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5bddf0f86941c657\imapi2fs.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-aspbinaries_31bf3856ad364e35_6.1.7601.17514_none_eaaa53b67e14526e\axperf.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Boot\EFI\el-GR\bootmgr.efi.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\Cursors\aero_up_xl.cur	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\8514fixt.fon	Windows Session Manager.exe
File opened for modification	C:\Windows\schemas\WCN\FlashConfig.xsd	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..oftwareinstallation_31bf3856ad364e35_6.1.7600.16385_none_ddc3da0b75baa7e0\appmgmts.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe.config	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atidxx32.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000452_31bf3856ad364e35_6.1.7600.16385_none_43a82b387da044dd\KBDUKX.DLL	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\IMEPADSV.EXE	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-10000_31bf3856ad364e35_6.1.7600.16385_none_802dfa0ae24dedca\C_10000.NLS	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Client.Internal.Host\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\normnfkc.nlp	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28\bootmgr.efi.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401.htm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.22091_none_6907efc6abd0db81\api-ms-win-security-base-l1-1-0.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\ehome\Microsoft.MediaCenter.Shell.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\Fonts\Gabriola.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\hpsamd.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-audio-dmusic_31bf3856ad364e35_6.1.7600.16385_none_a1e90d98a953d601\dmloader.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\prnhp003.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\Windows Feed Discovered.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_cpu.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53476b155eec25b4\intelppm.sys.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..nglekanjidictionary_31bf3856ad364e35_6.1.7600.16385_none_0de24903d8036ee0\imjptk.dic	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-2.htm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_b6cddd21f1df8715\SFLCID.dat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_tr-tr_ae4517f669ee1a94\FntCache.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Parallel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Parallel.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.cat	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\32.png	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\ricoh.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters_v2.ini	Windows Session Manager.exe
File opened for modification	C:\Windows\Panther\DDACLSys.log	Windows Session Manager.exe
File opened for modification	C:\Windows\Panther\MainQueueOnline1.que	Windows Session Manager.exe
File opened for modification	C:\Windows\PolicyDefinitions\fthsvc.admx	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-linkinfo_31bf3856ad364e35_6.1.7600.16385_none_945a23c3bf051859\linkinfo.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationTypes\91def75d3d91a7f7c698cd5c736ca52f\UIAutomationTypes.ni.dll.aux	Windows Session Manager.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	Windows Session Manager.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.mum	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cpfilters.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0c5ef8bfeb655c2\cpfilters.dll.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..-truetype-levenimmt_31bf3856ad364e35_6.1.7600.16385_none_e0843b84595f479b\lvnmbd.ttf	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\501.htm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..gine-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_25fc190843a42591\wbengine.exe.mui	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_6.1.7600.16385_none_6193778dc77677cc\cryptdll.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\mdmnova.PNF	Windows Session Manager.exe
File opened for modification	C:\Windows\inf\secrecs.inf	Windows Session Manager.exe
File opened for modification	C:\Windows\Media\recycle.wav	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\brmsl06f.icm	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17514_none_d06ac9aad230c1d6\fsquirt.exe	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-aerodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_4734ae48c8e465f5\CL_VideoMemory.ps1	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104\8514syse.fon	Windows Session Manager.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.22091_none_6907efc6abd0db81\api-ms-win-core-delayload-l1-1-0.dll	Windows Session Manager.exe
File opened for modification	C:\Windows\ehome\ehshell.dll	Windows Session Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:Ŵ\ Ŵ\¨ªŴ\²´񯅴\¼¾򆅴\ÆÈ혴Ŵ\ÐÒ튐Ŵ\ÚÜ컬Ŵ\äæ쭈Ŵ\îð잤Ŵ\øú쐀Ŵ\ĂĄ쁜Ŵ\ČĎ벸Ŵ\ĖĘ뤔Ŵ\ĠĢ땰Ŵ\ĪĬ뇌Ŵ\ĴĶ긨Ŵ\ľŀꪄŴ\ňŊꛠŴ\ŒŔꌼŴ\ŜŞ龘Ŵ\ŦŨ鯴Ŵ\ŰŲ顐Ŵ\źż钬Ŵ\ƄƆ鄈Ŵ\ƎƐ赤Ŵ\Ƙƚ觀Ŵ\ƢƤ蘜Ŵ\ƬƮ艸Ŵ\ƶƸ绔Ŵ\ǀǂ笰Ŵ\Āǌ㙀\Ҏ	Windows Session Manager.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\Adob\:<Ŵ\LNŴ\VX񯅴\`b򆅴\jl혴Ŵ\tv튐Ŵ\~컬Ŵ\쭈Ŵ\잤Ŵ\쐀Ŵ\¦¨쁜Ŵ\°²벸Ŵ\º¼뤔Ŵ\ÄÆ땰Ŵ\ÎÐ뇌Ŵ\ØÚ긨Ŵ\âäꪄŴ\ìîꛠŴ\öøꌼŴ\ĀĂ龘Ŵ\ĊČ鯴Ŵ\ĔĖ顐Ŵ\ĞĠ钬Ŵ\ĨĪ鄈Ŵ\ĲĴ赤Ŵ\ļľ觀Ŵ\ņň蘜Ŵ\ŐŒ艸Ŵ\ŚŜ绔Ŵ\ŤŦ笰Ŵ\ŮŰ瞌Ŵ\Ÿź珨Ŵ\ƂƄ灄Ŵ\ƌƎ沠Ŵ\ƖƘE\ƠƢ敘Ŵ\ƪƬ憴Ŵ\Ʋƴ帐Ŵ\Ƽƾ婬Ŵ\ǆǈ囈Ŵ\Āǒ㙀\ƅ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ś\ś\ś\¦¨ś\°²񱅛\º¼򈅛\`혼śЂ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ü\ü\ü\¦¨ü\°²ü	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ŵ\Ŵ\Ŵ\¦¨Ŵ\°²񯅴\º¼򆅴\ÄÆ혴Ŵ\ÎÐ튐Ŵ\ØÚ컬Ŵ\âä쭈Ŵ\ìî잤Ŵ	Windows Session Manager.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ĝ\Ĝ\Ĝ\¦¨Ĝ\°²Ĝ\º¼󢄜\ÄÆ󹄜\ÎÐ	Windows Session Manager.exe
File opened for modification	C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:ś\ ś\¨ªś\²´񱅛\¼¾򈅛\ÆÈ혼ś\ÐÒ튘ś\ÚÜ컴ś\äæ쭐ś\îð재ś\øú쐈ś\ĂĄ쁤ś\ČĎ변ś\ĖĘ뤜ś\ĠĢ땸ś\ĪĬ뇔ś\ĴĶ기ś\ľŀꪌś\ňŊꛨś\ŒŔꍄś\ŜŞ龠ś\﮸b鯼ś@\ŰŲ願ś	Windows Session Manager.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1372	Windows Session Manager.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1392	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	taskmgr.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1372	1048	SvHost-3.exe	32
PID 1048 wrote to memory of 1372	1048	SvHost-3.exe	32
PID 1048 wrote to memory of 1372	1048	SvHost-3.exe	32
PID 1048 wrote to memory of 1372	1048	SvHost-3.exe	32
PID 1372 wrote to memory of 772	1372	Windows Session Manager.exe	34
PID 1372 wrote to memory of 772	1372	Windows Session Manager.exe	34
PID 1372 wrote to memory of 772	1372	Windows Session Manager.exe	34
PID 1372 wrote to memory of 772	1372	Windows Session Manager.exe	34
PID 772 wrote to memory of 684	772	cmd.exe	36
PID 772 wrote to memory of 684	772	cmd.exe	36
PID 772 wrote to memory of 684	772	cmd.exe	36
PID 772 wrote to memory of 684	772	cmd.exe	36
PID 684 wrote to memory of 1776	684	net.exe	37
PID 684 wrote to memory of 1776	684	net.exe	37
PID 684 wrote to memory of 1776	684	net.exe	37
PID 684 wrote to memory of 1776	684	net.exe	37
PID 1372 wrote to memory of 1520	1372	Windows Session Manager.exe	38
PID 1372 wrote to memory of 1520	1372	Windows Session Manager.exe	38
PID 1372 wrote to memory of 1520	1372	Windows Session Manager.exe	38
PID 1372 wrote to memory of 1520	1372	Windows Session Manager.exe	38
PID 1372 wrote to memory of 340	1372	Windows Session Manager.exe	40
PID 1372 wrote to memory of 340	1372	Windows Session Manager.exe	40
PID 1372 wrote to memory of 340	1372	Windows Session Manager.exe	40
PID 1372 wrote to memory of 340	1372	Windows Session Manager.exe	40
PID 1372 wrote to memory of 1576	1372	Windows Session Manager.exe	42
PID 1372 wrote to memory of 1576	1372	Windows Session Manager.exe	42
PID 1372 wrote to memory of 1576	1372	Windows Session Manager.exe	42
PID 1372 wrote to memory of 1576	1372	Windows Session Manager.exe	42
PID 1372 wrote to memory of 552	1372	Windows Session Manager.exe	44
PID 1372 wrote to memory of 552	1372	Windows Session Manager.exe	44
PID 1372 wrote to memory of 552	1372	Windows Session Manager.exe	44
PID 1372 wrote to memory of 552	1372	Windows Session Manager.exe	44
PID 552 wrote to memory of 1908	552	cmd.exe	46
PID 552 wrote to memory of 1908	552	cmd.exe	46
PID 552 wrote to memory of 1908	552	cmd.exe	46
PID 552 wrote to memory of 1908	552	cmd.exe	46
PID 1908 wrote to memory of 540	1908	net.exe	47
PID 1908 wrote to memory of 540	1908	net.exe	47
PID 1908 wrote to memory of 540	1908	net.exe	47
PID 1908 wrote to memory of 540	1908	net.exe	47
PID 1372 wrote to memory of 1624	1372	Windows Session Manager.exe	48
PID 1372 wrote to memory of 1624	1372	Windows Session Manager.exe	48
PID 1372 wrote to memory of 1624	1372	Windows Session Manager.exe	48
PID 1372 wrote to memory of 1624	1372	Windows Session Manager.exe	48
PID 1624 wrote to memory of 1652	1624	cmd.exe	50
PID 1624 wrote to memory of 1652	1624	cmd.exe	50
PID 1624 wrote to memory of 1652	1624	cmd.exe	50
PID 1624 wrote to memory of 1652	1624	cmd.exe	50
PID 1652 wrote to memory of 1016	1652	net.exe	51
PID 1652 wrote to memory of 1016	1652	net.exe	51
PID 1652 wrote to memory of 1016	1652	net.exe	51
PID 1652 wrote to memory of 1016	1652	net.exe	51
PID 1372 wrote to memory of 1148	1372	Windows Session Manager.exe	52
PID 1372 wrote to memory of 1148	1372	Windows Session Manager.exe	52
PID 1372 wrote to memory of 1148	1372	Windows Session Manager.exe	52
PID 1372 wrote to memory of 1148	1372	Windows Session Manager.exe	52
PID 1148 wrote to memory of 612	1148	cmd.exe	54
PID 1148 wrote to memory of 612	1148	cmd.exe	54
PID 1148 wrote to memory of 612	1148	cmd.exe	54
PID 1148 wrote to memory of 612	1148	cmd.exe	54
PID 612 wrote to memory of 1172	612	net.exe	55
PID 612 wrote to memory of 1172	612	net.exe	55
PID 612 wrote to memory of 1172	612	net.exe	55
PID 612 wrote to memory of 1172	612	net.exe	55

C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe
"C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\net.exe
      net stop MSDTC
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSDTC
        5⤵
        
        PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLSERVERAGENT
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLSERVERAGENT
        5⤵
        
        PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\net.exe
      net stop vds
      4⤵
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vds
        5⤵
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLWriter
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter
      4⤵
      PID:804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser
      4⤵
      PID:1712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER
        5⤵
        
        PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$CONTOSO1
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$CONTOSO1
        5⤵
        
        PID:928

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-60-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1392-102-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download