ouroboros | 398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7

Analysis

max time kernel
4294110s
max time network
120s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
Size

1.3MB
MD5

056a68f7c923ced5e13df36cd7ffba93
SHA1

a386d3650975bafd35aee69cd59b895780b0b70b
SHA256

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
SHA512

b218331bbdfc793a490a0b82d38300d1aeb829b355ec91c8a7a80f78772052d6a0dcd7a8bd65d9e85f28b4b010deb0537c9c6cc526381f9f8649fbdae8bb514b

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Drops file in Drivers directory 39 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnterRead.tiff	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeStep.tiff	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Pictures\TraceRestore.tiff	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Drops startup file 1 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7HKSP8D\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\de-DE\MMDevAPI.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\OSProvider.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnbr007.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnky007.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\eapphost.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wshtcpip.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGPUD.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rekeywiz.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ComputerDefaults.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\spwizimg.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Sensors-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\devmgr.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_269d7150439b3372\usbccgp.sys	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\p2p-pnrp.mfl	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DevicePairing.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ucmhc.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\msclmd.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wsecedit.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\BITSExtensions-Server-Console-DL.man	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\HTTP-DL.man	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SNMP-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\LocationNotifications.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN2192E3.PPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wialx002.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_jobs.help.txt	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\loadperf.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\monitor.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\Ph3xIB64MV.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXLMAC.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\OD63FSC.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateE\license.rtf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\mssip32.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnrc002.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\Amd64\LM2581.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\brmfcwia.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\appwiz.cpl.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\license.rtf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\forfiles.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mp4sdecd.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\devmgr.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\netcenter.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\it-IT\srloc.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\tr-TR\WMPhoto.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NCA9C.CMB	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYFS5400.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\prnrc00c.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\cmdial32.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SCardDlg.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\colorcpl.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netw5v64.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\hpoa1ss.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRM7340U.GPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sisraid4.inf_amd64_neutral_65ab84e9830f6f4b\sisraid4.PNF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\mciwave.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\icm32.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\cmstp.exe.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\rasplap.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\usb.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OK7500U5.PPD	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\iasdatastore.dll.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Security.dll-Help.xml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_300.DLL	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Drops file in Program Files directory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Init.xsn	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\GMT	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105912.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0187423.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bn.pak	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Angles.thmx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02282_.WMF.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0098497.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ.DLL.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.[[email protected]][GRJ61AZPSKH2CY3].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Drops file in Windows directory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\ega40869.fon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\33f2c8336e497fc65c9d414c2a7061d8\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.ni.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\es-ES\CL_LocalizationData.psd1	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe.config	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\Microsoft.Build.Engine.resources.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\UiInfo.xml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\005810b5e7d8802575d07878997d434d\ehiVidCtl.ni.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e071297bb06faa961bef045ae5f25fdc\System.ni.dll.aux	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\DiagPackage.diagpkg	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.es.resx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Configuration.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\TabletShell.adml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\6682e8964200a1336f1dbe49392f7797\System.EnterpriseServices.ni.dll.aux	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\bootmgr.efi.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\artcon3.h1s	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\hpoa1sd.PNF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\mdmcxhv6.PNF	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Battery Low.wav	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\de-DE\aero.msstyles.mui	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\mscorrc.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sysglobl.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\mui\0409\applocker_help.CHM	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\mui\0409\reliab.CHM	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\escalate.h1s	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.it.resx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1053\eula.rtf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\Windows\en-US\firewall.h1s	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\gameport.inf	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0005\aspnet_perf.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\LinkLayerTopologyDiscovery.adml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_fr_31bf3856ad364e35\microsoft.tpm.resources.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Windows User Account Control.wav	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_it_31bf3856ad364e35\Microsoft.Ink.Resources.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp1.jpg	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\IME\imekr8\help\imkrpd.chm	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.ja.resx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\mui\0C0A\iismmc.CHM	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\FramePanes.adml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Help\mui\0409\authm.CHM	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.NetDiagFramework.xml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0009\_SMSvcHostPerfCounters.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_en_31bf3856ad364e35\MIGUIControls.resources.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design\3.5.0.0__b77a5c561934e089\System.Data.Entity.Design.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\inf\de-DE\netavpna.inf_loc	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\prcp.nlp	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.de.resx	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web_lowtrust.config	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\DCOM.adml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.mum	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Battery Critical.wav	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1064 1152 WerFault.exe 398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
Runs net.exe

pid	pid_target	process	target process
1064	1152	WerFault.exe	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

pid	process
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1152 wrote to memory of 948	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 948	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 948	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 948	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 948 wrote to memory of 524	948	cmd.exe	net.exe
PID 948 wrote to memory of 524	948	cmd.exe	net.exe
PID 948 wrote to memory of 524	948	cmd.exe	net.exe
PID 948 wrote to memory of 524	948	cmd.exe	net.exe
PID 524 wrote to memory of 268	524	net.exe	net1.exe
PID 524 wrote to memory of 268	524	net.exe	net1.exe
PID 524 wrote to memory of 268	524	net.exe	net1.exe
PID 524 wrote to memory of 268	524	net.exe	net1.exe
PID 1152 wrote to memory of 1144	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1144	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1144	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1144	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1216	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1216	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1216	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1216	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 292	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 292	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 292	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 292	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1364	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1364	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1364	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1364	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1364 wrote to memory of 1556	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1556	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1556	1364	cmd.exe	net.exe
PID 1364 wrote to memory of 1556	1364	cmd.exe	net.exe
PID 1556 wrote to memory of 1184	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1184	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1184	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1184	1556	net.exe	net1.exe
PID 1152 wrote to memory of 636	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 636	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 636	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 636	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 636 wrote to memory of 1636	636	cmd.exe	net.exe
PID 636 wrote to memory of 1636	636	cmd.exe	net.exe
PID 636 wrote to memory of 1636	636	cmd.exe	net.exe
PID 636 wrote to memory of 1636	636	cmd.exe	net.exe
PID 1636 wrote to memory of 1192	1636	net.exe	net1.exe
PID 1636 wrote to memory of 1192	1636	net.exe	net1.exe
PID 1636 wrote to memory of 1192	1636	net.exe	net1.exe
PID 1636 wrote to memory of 1192	1636	net.exe	net1.exe
PID 1152 wrote to memory of 1484	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1484	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1484	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 1484	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1484 wrote to memory of 1820	1484	cmd.exe	net.exe
PID 1484 wrote to memory of 1820	1484	cmd.exe	net.exe
PID 1484 wrote to memory of 1820	1484	cmd.exe	net.exe
PID 1484 wrote to memory of 1820	1484	cmd.exe	net.exe
PID 1820 wrote to memory of 1684	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1684	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1684	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1684	1820	net.exe	net1.exe
PID 1152 wrote to memory of 2000	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 2000	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 2000	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1152 wrote to memory of 2000	1152	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
"C:\Users\Admin\AppData\Local\Temp\398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:916
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 424
  2⤵
  - Program crash
  PID:1064