ouroboros | 3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451

Analysis

max time kernel
4294115s
max time network
125s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
Size

1.3MB
MD5

fd051c28d517d4a4cfaf09fe5c0f6b3e
SHA1

e960aee473dc56902276e1d91392fb04597f58df
SHA256

3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451
SHA512

06c0edd9e6cd88f71b4c5547b961b66b5b22ca78f45489f6f9f0c9a3caba1228f09ff7a58222fe14fc78ddf58f1a6ef4fa5a2cbf63cb9ec8c103073844b66397

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tiff	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Pictures\BackupOpen.tiff	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Loads dropped DLL 13 IoCs

pid	Process
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1644	msiexec.exe
1396	MsiExec.exe
1396	MsiExec.exe
1396	MsiExec.exe
1396	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7HKSP8D\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KV8PQJCO\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\Ph3xIB64MV.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYKC6950.PPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnle004.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~th-TH~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumE\license.rtf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\mdmlasno.inf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc6.inf_amd64_neutral_2818f7b3b62bdd39\ph3xibc6.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf4x8.ppd	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons004c.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\l2nacp.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\SmiProvider.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\mdmcpq.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP13.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa310t.xml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV36N6.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\setupugc.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mdmcxpv6.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfcWia.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOEUM.DXT	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\inetcomm.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_neutral_492d4e047d14bde9\mdmeiger.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR13506.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\NlsData081a.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\pwrshplugin.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DfrgUI.exe.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\sffdisk.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS4000.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\volume.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1S.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\mssign32.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\NetworkExplorer.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sqlsrv32.rll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\webclnt.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\multiprt.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGE8T.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR4181E3.PPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~zh-CN~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismProv.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYC2525E.PPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\ole2.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\usbceip.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_neutral_14f9249844f1cf17\mdmzyxlg.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBBR282.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR14.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\prnlx00w.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\CNHL960.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mctres.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\net1qx64.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netg664.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\TransferCable.inf_loc	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL12.GPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1432E3.PPD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\SysWOW64\KBDDIV1.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jre7\lib\calendars.properties	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01659_.WMF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\ResetOpen.mhtml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318804.WMF.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000A.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.[[email protected]][R27CDAV8OLQEI4W].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallMembership.sql	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Speech\Engines\SR\fr-FR\AF031036.am	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Boot\Fonts\chs_boot.ttf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\eaphost.inf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\elxstor.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\gameport.inf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.fr.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de\SMDiagnostics.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_ja_31bf3856ad364e35\PresentationCore.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\85025ab2ff0d9e3bcdca656fba54318f\PresentationBuildTasks.ni.dll.aux	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\nulhpopr.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcm80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1040\cscompui.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\Regasm.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\mobile.h1s	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGL.IMD	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\netrtx64.inf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\PolicyDefinitions\TaskScheduler.admx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Boot\EFI\nb-NO\bootmgfw.efi.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\library.H1S	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\prnky005.inf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~hi-IN~7.1.7601.16492.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\df5d78a6328636a4ff7bc7992531d6d0\System.Windows.Forms.DataVisualization.Design.ni.dll.aux	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\Microsoft.Build.Engine.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Workd8194f73#\3a72bcdeaedff46fde259a6cefb7062d\System.WorkflowServices.ni.dll.aux	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.fr.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-245ED79E.pf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Security.resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Security.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Fonts\upckb.ttf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\appwin.h1s	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni.dll.aux	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\sniptoo.h1s	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.DurableInstancing.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RecDisc-SDP-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\inf\mdmgl004.PNF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.fr.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.WebHeaderCollection.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\prc.nlp	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Help\mui\0407\connmgr.CHM	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\caspol.resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_dataperfcounters_shared12_neutral.h	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\SystemResourceManager.adml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\FramePanes.adml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\servicing\Packages\Networking-MPSSVC-Rules-UltimateEdition-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	1980	WerFault.exe	26

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
1644	msiexec.exe
1644	msiexec.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1836	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	28
PID 1980 wrote to memory of 1836	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	28
PID 1980 wrote to memory of 1836	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	28
PID 1980 wrote to memory of 1836	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	28
PID 1836 wrote to memory of 572	1836	cmd.exe	30
PID 1836 wrote to memory of 572	1836	cmd.exe	30
PID 1836 wrote to memory of 572	1836	cmd.exe	30
PID 1836 wrote to memory of 572	1836	cmd.exe	30
PID 572 wrote to memory of 684	572	net.exe	31
PID 572 wrote to memory of 684	572	net.exe	31
PID 572 wrote to memory of 684	572	net.exe	31
PID 572 wrote to memory of 684	572	net.exe	31
PID 1980 wrote to memory of 460	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	32
PID 1980 wrote to memory of 460	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	32
PID 1980 wrote to memory of 460	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	32
PID 1980 wrote to memory of 460	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	32
PID 1980 wrote to memory of 860	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	34
PID 1980 wrote to memory of 860	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	34
PID 1980 wrote to memory of 860	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	34
PID 1980 wrote to memory of 860	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	34
PID 1980 wrote to memory of 1104	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	36
PID 1980 wrote to memory of 1104	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	36
PID 1980 wrote to memory of 1104	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	36
PID 1980 wrote to memory of 1104	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	36
PID 1980 wrote to memory of 864	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	38
PID 1980 wrote to memory of 864	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	38
PID 1980 wrote to memory of 864	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	38
PID 1980 wrote to memory of 864	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	38
PID 864 wrote to memory of 1784	864	cmd.exe	40
PID 864 wrote to memory of 1784	864	cmd.exe	40
PID 864 wrote to memory of 1784	864	cmd.exe	40
PID 864 wrote to memory of 1784	864	cmd.exe	40
PID 1784 wrote to memory of 616	1784	net.exe	41
PID 1784 wrote to memory of 616	1784	net.exe	41
PID 1784 wrote to memory of 616	1784	net.exe	41
PID 1784 wrote to memory of 616	1784	net.exe	41
PID 1980 wrote to memory of 1140	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	42
PID 1980 wrote to memory of 1140	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	42
PID 1980 wrote to memory of 1140	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	42
PID 1980 wrote to memory of 1140	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	42
PID 1140 wrote to memory of 432	1140	cmd.exe	44
PID 1140 wrote to memory of 432	1140	cmd.exe	44
PID 1140 wrote to memory of 432	1140	cmd.exe	44
PID 1140 wrote to memory of 432	1140	cmd.exe	44
PID 432 wrote to memory of 1272	432	net.exe	45
PID 432 wrote to memory of 1272	432	net.exe	45
PID 432 wrote to memory of 1272	432	net.exe	45
PID 432 wrote to memory of 1272	432	net.exe	45
PID 1980 wrote to memory of 1120	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	46
PID 1980 wrote to memory of 1120	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	46
PID 1980 wrote to memory of 1120	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	46
PID 1980 wrote to memory of 1120	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	46
PID 1120 wrote to memory of 824	1120	cmd.exe	49
PID 1120 wrote to memory of 824	1120	cmd.exe	49
PID 1120 wrote to memory of 824	1120	cmd.exe	49
PID 1120 wrote to memory of 824	1120	cmd.exe	49
PID 824 wrote to memory of 1096	824	net.exe	48
PID 824 wrote to memory of 1096	824	net.exe	48
PID 824 wrote to memory of 1096	824	net.exe	48
PID 824 wrote to memory of 1096	824	net.exe	48
PID 1980 wrote to memory of 1384	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	50
PID 1980 wrote to memory of 1384	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	50
PID 1980 wrote to memory of 1384	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	50
PID 1980 wrote to memory of 1384	1980	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	50

C:\Users\Admin\AppData\Local\Temp\3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
"C:\Users\Admin\AppData\Local\Temp\3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:920
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:760
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 380
  2⤵
  - Program crash
  PID:1520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
1⤵
PID:1096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03C0324BA2700D95E9FC117172471A3
  2⤵
  - Loads dropped DLL
  PID:1396
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding F8B65E918EDCFC468554DCA572293052
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-54-0x0000000075641000-0x0000000075643000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x000007FEFB981000-0x000007FEFB983000-memory.dmp

Filesize
8KB

Download