ouroboros | 398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7

Analysis

max time kernel
102s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
Size

1.3MB
MD5

056a68f7c923ced5e13df36cd7ffba93
SHA1

a386d3650975bafd35aee69cd59b895780b0b70b
SHA256

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7
SHA512

b218331bbdfc793a490a0b82d38300d1aeb829b355ec91c8a7a80f78772052d6a0dcd7a8bd65d9e85f28b4b010deb0537c9c6cc526381f9f8649fbdae8bb514b

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 47 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 21 http://www.sfml-dev.org/ip-provider.php

description	flow	ioc
HTTP URL	21	http://www.sfml-dev.org/ip-provider.php

Drops file in Program Files directory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pt-BR.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\nacl_irt_x86_64.nexe.DATA	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-125.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Edge.dat.DATA	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-125.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dnsns.jar.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-125.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\react.uwp.dll	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.Tests.ps1	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-lightunplated.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-200.png	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.[[email protected]][EBY0FPLKMI3NVS1].Horizon	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-disabled_32.svg	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3696 2308 WerFault.exe
2604 60 WerFault.exe SearchApp.exe

pid	pid_target	process	target process
3696	2308	WerFault.exe
2604	60	WerFault.exe	SearchApp.exe

NTFS ADS 4 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:ࡀŞ	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\曀şsk8:所ş	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\߸Şsk8:࢈Ş	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:š	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

pid	process
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 32 wrote to memory of 2220	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 2220	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 2220	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 2220 wrote to memory of 3932	2220	cmd.exe	net.exe
PID 2220 wrote to memory of 3932	2220	cmd.exe	net.exe
PID 2220 wrote to memory of 3932	2220	cmd.exe	net.exe
PID 3932 wrote to memory of 2432	3932	net.exe	net1.exe
PID 3932 wrote to memory of 2432	3932	net.exe	net1.exe
PID 3932 wrote to memory of 2432	3932	net.exe	net1.exe
PID 32 wrote to memory of 3576	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3576	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3576	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 4024	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 4024	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 4024	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1928	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1928	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1928	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1840	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1840	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1840	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1840 wrote to memory of 3052	1840	cmd.exe	net.exe
PID 1840 wrote to memory of 3052	1840	cmd.exe	net.exe
PID 1840 wrote to memory of 3052	1840	cmd.exe	net.exe
PID 3052 wrote to memory of 3284	3052	net.exe	net1.exe
PID 3052 wrote to memory of 3284	3052	net.exe	net1.exe
PID 3052 wrote to memory of 3284	3052	net.exe	net1.exe
PID 32 wrote to memory of 3784	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3784	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3784	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 3784 wrote to memory of 112	3784	cmd.exe	net.exe
PID 3784 wrote to memory of 112	3784	cmd.exe	net.exe
PID 3784 wrote to memory of 112	3784	cmd.exe	net.exe
PID 112 wrote to memory of 3760	112	net.exe	net1.exe
PID 112 wrote to memory of 3760	112	net.exe	net1.exe
PID 112 wrote to memory of 3760	112	net.exe	net1.exe
PID 32 wrote to memory of 3520	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3520	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 3520	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 3520 wrote to memory of 2572	3520	cmd.exe	net.exe
PID 3520 wrote to memory of 2572	3520	cmd.exe	net.exe
PID 3520 wrote to memory of 2572	3520	cmd.exe	net.exe
PID 2572 wrote to memory of 2912	2572	net.exe	net1.exe
PID 2572 wrote to memory of 2912	2572	net.exe	net1.exe
PID 2572 wrote to memory of 2912	2572	net.exe	net1.exe
PID 32 wrote to memory of 1508	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1508	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 1508	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 1508 wrote to memory of 3312	1508	cmd.exe	netsh.exe
PID 1508 wrote to memory of 3312	1508	cmd.exe	netsh.exe
PID 1508 wrote to memory of 3312	1508	cmd.exe	netsh.exe
PID 32 wrote to memory of 832	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 832	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 832	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 832 wrote to memory of 2796	832	cmd.exe	netsh.exe
PID 832 wrote to memory of 2796	832	cmd.exe	netsh.exe
PID 832 wrote to memory of 2796	832	cmd.exe	netsh.exe
PID 32 wrote to memory of 2740	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 2740	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 32 wrote to memory of 2740	32	398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe	cmd.exe
PID 2740 wrote to memory of 512	2740	cmd.exe	net.exe
PID 2740 wrote to memory of 512	2740	cmd.exe	net.exe
PID 2740 wrote to memory of 512	2740	cmd.exe	net.exe
PID 512 wrote to memory of 3636	512	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe
"C:\Users\Admin\AppData\Local\Temp\398f2d4704aa884e676cf971b7cfaba82ce8b0d791b63b51c36bd76b4484cca7.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:3420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:3976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2308 -ip 2308
1⤵
PID:3344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2308 -s 3108
1⤵
- Program crash
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:60
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 60 -s 4040
  2⤵
  - Program crash
  PID:2604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 60 -ip 60
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.[[email protected]][EBY0FPLKMI3NVS1].Horizon

MD5
56281bfe29309b574a01a97dd846bcb3

SHA1
4085e2c3f307c82f9577934261ac9817794ea634

SHA256
1c933fe50a8769dfe8e42b3d4a852c4afcd3d35698940c82c8615142a0463f69

SHA512
7403bd17e99d3789d2f5e1f6927dcd203354835a34fc89abf2c6a0f147f089b87f7bee7b9e44d5bfe101760e3553537318acb7a58b99b061e68d1385333bf8d3

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.[[email protected]][EBY0FPLKMI3NVS1].Horizon

MD5
fceb1a1e402a457732c43d5192c29609

SHA1
09ca8e8e0f334dc1cc9bd72fd8d1247da95d8433

SHA256
2701ca4f3cf3a01561ef31f00a260c5c8d6ef55a970f1956a7b14d625e50cc03

SHA512
916343d96e38515e0b82c324f00646d56b02e12555df31161aadf462e26a8b6b6ba25026d5acd84cf08924fb8c4aec01d97f202906bba4f82e19caa26c2bea4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.[[email protected]][EBY0FPLKMI3NVS1].Horizon

MD5
9e20cd2c32af173cbb5532be507a4aae

SHA1
7b4464f913be6d2c164d5119eb14b8ea714f3d69

SHA256
8eaeee1fda99c43691dc044d4674fc2567d3d6149f3585d08011065ec3b7c2c3

SHA512
828bd28b536ce3f347ce40a9e87fbd0a0a27ac1ba87f203d38199933754ffd982d42e08f1871394d895524ff35b0a8b8aed92c923a122fe97ce523e5b1e8aca8

Download Submit