ouroboros | 05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9

Analysis

max time kernel
51s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05-03-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
Size

1.3MB
MD5

815f827cbedec5631f73178fd1ac9aa8
SHA1

faea120b3544f66dd88e237b2422897d50612ba3
SHA256

05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9
SHA512

9ffaf31f9a9cad70af30ffe9fbddff6598632da78cab14e4c83ae6e2a69ef7be219a7fc56fc34980ae4f8682cac021b9c48d197927895e584eb124731db0103e

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EnableSend.tiff	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Media\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Public\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	9	http://www.sfml-dev.org/ip-provider.php

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-125.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-125.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-100.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main.css	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\169.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-200.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-unplated.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-100.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\zh-CN.pak	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_pound_Loud.m4a	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-100.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100_contrast-white.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-32.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\97.0.1072.55\Locales\it.pak.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.[[email protected]][C9ULBQ0HMWFVONA].help	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Windows.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Timer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Timer.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe.config	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Boot\EFI\lv-LV\bootmgr.efi.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Cursors\aero_nesw.cur	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Fonts\Gabriola.ttf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Fonts\mmrtextb.ttf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Drawing.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\Fonts\GlobalSansSerif.CompositeFont	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\CvtResUI.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\3ef04b2ab7a69aa8d90d3a62538479e4\Microsoft.PowerShell.ConsoleHost.ni.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-100.png	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Numerics.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_MinProcessorState.ps1	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Fonts\MSUIGHUB.TTF	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\aspnet.mfl.uninstall	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\ServiceModelRegUI.dll.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Fonts\seriff.fon	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Panther\Contents0.dir	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.ServiceModel.Channels.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\903ffecbd077dc9907c3618278188386\Microsoft.GroupPolicy.Interop.ni.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\IME\IMETC\HELP\IMTCTC14.CHM	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_difr.x3d	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Writer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Resources.Writer.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Cursors\aero_person.cur	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_PrinterDriver.ps1	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Drawing.Design.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.de.resx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Printing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Printing.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja\PresentationCore.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.it.resx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Cursors\pin_l.cur	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\diagnostics\system\Video\CL_MutexVerifiers.ps1	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\INF\mdmbw561.inf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\ReachFramework.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.resx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\INF\mdmnttp.inf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es\PresentationBuildTasks.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.ResourceManager.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\Tracking_Schema.sql	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Cursors\aero_unavail_xl.cur	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Fonts\ARIALN.TTF	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\INF\usbport.inf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\diagnostics\system\Search\it-IT\DiagPackage.dll.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\PolicyDefinitions\Msi-FileRecovery.admx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\cryptocme.sig	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.Resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\UIAutomationProvider.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\diagnostics\index\MaintenanceDiagnostic.xml	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\INF\c_netclient.inf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Boot\PCAT\fi-FI\memtest.exe.mui	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\INF\hidspi_km.inf	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.es.resx	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.ServiceModel.Channels.resources.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Routing.dll	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3344	8	WerFault.exe	38
5032	3028	WerFault.exe	143
2096	4108	WerFault.exe	150
3296	1008	WerFault.exe	154
3648	2828	WerFault.exe	157
3596	4928	WerFault.exe	162
312	2172	WerFault.exe	165

NTFS ADS 20 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\Documents\My Music\䖠cr:<狰\㜀承瞒LNᧀ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\䖠cr:<狰\薠承瞒RT蔸	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\원cr:<豈\奘엌RT常	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Videos\원cr:<豈\㜀엌NPአ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\獸眔७8:溰	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:烸	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<賂	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<湰	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\ឰsk8:ᮠ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\䖠C7:<梈	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<湰	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Music\점cr:<ﶀ\㟀엌LNᙨ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Videos\점cr:<ﶀ\㜀엌NPᙨ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:ᮠ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Videos\䖠cr:<狰\㮀承瞒NPᚨ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<湰	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\䯠C7:<⁨	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\점cr:<ﶀ\䑸엌RT䓠	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\욀C7:<鹠	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
File opened for modification	C:\Users\Default\Documents\My Music\원cr:<豈\㣠엌LNፐ	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1148	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	80
PID 572 wrote to memory of 1148	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	80
PID 572 wrote to memory of 1148	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	80
PID 1148 wrote to memory of 1520	1148	cmd.exe	82
PID 1148 wrote to memory of 1520	1148	cmd.exe	82
PID 1148 wrote to memory of 1520	1148	cmd.exe	82
PID 1520 wrote to memory of 1656	1520	net.exe	83
PID 1520 wrote to memory of 1656	1520	net.exe	83
PID 1520 wrote to memory of 1656	1520	net.exe	83
PID 572 wrote to memory of 1908	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	84
PID 572 wrote to memory of 1908	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	84
PID 572 wrote to memory of 1908	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	84
PID 572 wrote to memory of 2288	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	86
PID 572 wrote to memory of 2288	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	86
PID 572 wrote to memory of 2288	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	86
PID 572 wrote to memory of 2680	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	88
PID 572 wrote to memory of 2680	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	88
PID 572 wrote to memory of 2680	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	88
PID 572 wrote to memory of 3268	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	90
PID 572 wrote to memory of 3268	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	90
PID 572 wrote to memory of 3268	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	90
PID 3268 wrote to memory of 544	3268	cmd.exe	92
PID 3268 wrote to memory of 544	3268	cmd.exe	92
PID 3268 wrote to memory of 544	3268	cmd.exe	92
PID 544 wrote to memory of 1956	544	net.exe	93
PID 544 wrote to memory of 1956	544	net.exe	93
PID 544 wrote to memory of 1956	544	net.exe	93
PID 572 wrote to memory of 4496	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	94
PID 572 wrote to memory of 4496	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	94
PID 572 wrote to memory of 4496	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	94
PID 4496 wrote to memory of 4824	4496	cmd.exe	96
PID 4496 wrote to memory of 4824	4496	cmd.exe	96
PID 4496 wrote to memory of 4824	4496	cmd.exe	96
PID 4824 wrote to memory of 4620	4824	net.exe	97
PID 4824 wrote to memory of 4620	4824	net.exe	97
PID 4824 wrote to memory of 4620	4824	net.exe	97
PID 572 wrote to memory of 3432	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	98
PID 572 wrote to memory of 3432	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	98
PID 572 wrote to memory of 3432	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	98
PID 3432 wrote to memory of 1008	3432	cmd.exe	100
PID 3432 wrote to memory of 1008	3432	cmd.exe	100
PID 3432 wrote to memory of 1008	3432	cmd.exe	100
PID 1008 wrote to memory of 4900	1008	net.exe	101
PID 1008 wrote to memory of 4900	1008	net.exe	101
PID 1008 wrote to memory of 4900	1008	net.exe	101
PID 572 wrote to memory of 1132	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	102
PID 572 wrote to memory of 1132	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	102
PID 572 wrote to memory of 1132	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	102
PID 1132 wrote to memory of 4780	1132	cmd.exe	104
PID 1132 wrote to memory of 4780	1132	cmd.exe	104
PID 1132 wrote to memory of 4780	1132	cmd.exe	104
PID 572 wrote to memory of 1736	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	105
PID 572 wrote to memory of 1736	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	105
PID 572 wrote to memory of 1736	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	105
PID 1736 wrote to memory of 2776	1736	cmd.exe	107
PID 1736 wrote to memory of 2776	1736	cmd.exe	107
PID 1736 wrote to memory of 2776	1736	cmd.exe	107
PID 572 wrote to memory of 3276	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	108
PID 572 wrote to memory of 3276	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	108
PID 572 wrote to memory of 3276	572	05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe	108
PID 3276 wrote to memory of 364	3276	cmd.exe	110
PID 3276 wrote to memory of 364	3276	cmd.exe	110
PID 3276 wrote to memory of 364	3276	cmd.exe	110
PID 364 wrote to memory of 1712	364	net.exe	111

C:\Users\Admin\AppData\Local\Temp\05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe
"C:\Users\Admin\AppData\Local\Temp\05e429f9f9f76709b2b6efe6509e2a82e36e635f5dcfdb8ae9b49e2301751eb9.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:648
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 8 -ip 8
1⤵
PID:4004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8 -s 5480
1⤵
- Program crash
PID:3344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3028 -s 4144
  2⤵
  - Program crash
  PID:5032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3028 -ip 3028
1⤵
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4108 -s 3888
  2⤵
  - Program crash
  PID:2096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4108 -ip 4108
1⤵
PID:3304

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1008 -s 3876
  2⤵
  - Program crash
  PID:3296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1008 -ip 1008
1⤵
PID:3184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2828 -s 3976
  2⤵
  - Program crash
  PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2828 -ip 2828
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4928 -s 3880
  2⤵
  - Program crash
  PID:3596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 564 -p 4928 -ip 4928
1⤵
PID:432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2172
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2172 -s 4464
  2⤵
  - Program crash
  PID:312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 2172 -ip 2172
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-136-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4824-134-0x00000255A5F80000-0x00000255A5F84000-memory.dmp

Filesize
16KB

Download
memory/4824-133-0x00000255A5D90000-0x00000255A5DA0000-memory.dmp

Filesize
64KB

Download
memory/4824-132-0x00000255A5B60000-0x00000255A5B70000-memory.dmp

Filesize
64KB

Download