ouroboros | 3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451

Analysis

max time kernel
97s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-03-2022 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
Size

1.3MB
MD5

fd051c28d517d4a4cfaf09fe5c0f6b3e
SHA1

e960aee473dc56902276e1d91392fb04597f58df
SHA256

3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451
SHA512

06c0edd9e6cd88f71b4c5547b961b66b5b22ca78f45489f6f9f0c9a3caba1228f09ff7a58222fe14fc78ddf58f1a6ef4fa5a2cbf63cb9ec8c103073844b66397

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	21	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\ui-strings.js	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-200.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-300.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-lightunplated.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\MediumTile.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-colorize.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-100.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-125_contrast-black.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Medium.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\GetSMDL2.ttf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\nexturl.ort.DATA	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-white.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-200.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-400.png	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected]	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.[[email protected]][I0GR3KOWQXMS852].hmmmmm	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\pcamain.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Ink.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\notepad.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\win.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\winhlp32.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\de-DE\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\es-ES\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\mib.bin	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\twain_32.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\DirectXApps_FOD.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\DtcInstall.log	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\lsasetup.log	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve.LOG1	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\drvmain.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Ink.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Ink.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\Professional.xml	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\msimain.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\bfsvc.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\bootstat.dat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\PFRO.log	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\splwow64.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\explorer.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\HelpPane.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\addins\FXSEXT.ecf	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\ja-JP\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\WindowsUpdate.log	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_it_31bf3856ad364e35\Microsoft.Ink.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\write.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\pubpol23.dat	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\hh.exe	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\system.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\fr-FR\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\it-IT\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\WMSysPr9.prx	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\sysmain.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\frxmain.sdb	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve.LOG2	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\AcRes.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\apppatch\en-US\AcRes.dll.mui	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\PublisherPolicy.tme	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Ink.Resources.dll	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3600	2532	WerFault.exe	30
2508	560	WerFault.exe	117
3892	3112	WerFault.exe	122
3444	736	WerFault.exe	126
2952	3736	WerFault.exe	129

NTFS ADS 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\Documents\My Videos\⏠Ċcr:<߸Ċ\㮀ĉ承矟NP눈Ċ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\ﺀȤC7:<琠Ď	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Music\⏠Ċcr:<߸Ċ\㚠ĉ承矟LN럠Ċ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<πĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\欐ĎC7:<ጰđ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\⏠Ċcr:<߸Ċ\㻈č承矟RT䆠č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Videos\榀Ďcr:<결Ċ\㯠ĉ楬ĎNP嫠Đ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:繐č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<πĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<πĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<絸č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<絸č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Music\榀Ďcr:<결Ċ\㯠ĉ楬ĎLN庨Đ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\榀Ďcr:<결Ċ\恸č楬ĎRT徨č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<ðĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<豈č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<豈č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<豈č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\絸čsk8:糨č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\ĸĊsk8:ѐĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:˨Ċ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\ܠĊsk8:ЈĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-790714498-1549421491-1643397139-1000\de8:潀Ĉ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<絸č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\拘ĐC7:<稘č	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<ﶈĐ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<πĊ	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1932	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	57
PID 2848 wrote to memory of 1932	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	57
PID 2848 wrote to memory of 1932	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	57
PID 1932 wrote to memory of 3600	1932	cmd.exe	59
PID 1932 wrote to memory of 3600	1932	cmd.exe	59
PID 1932 wrote to memory of 3600	1932	cmd.exe	59
PID 3600 wrote to memory of 2092	3600	net.exe	60
PID 3600 wrote to memory of 2092	3600	net.exe	60
PID 3600 wrote to memory of 2092	3600	net.exe	60
PID 2848 wrote to memory of 2280	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	64
PID 2848 wrote to memory of 2280	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	64
PID 2848 wrote to memory of 2280	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	64
PID 2848 wrote to memory of 3604	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	66
PID 2848 wrote to memory of 3604	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	66
PID 2848 wrote to memory of 3604	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	66
PID 2848 wrote to memory of 2684	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	68
PID 2848 wrote to memory of 2684	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	68
PID 2848 wrote to memory of 2684	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	68
PID 2848 wrote to memory of 1324	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	70
PID 2848 wrote to memory of 1324	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	70
PID 2848 wrote to memory of 1324	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	70
PID 1324 wrote to memory of 2996	1324	cmd.exe	72
PID 1324 wrote to memory of 2996	1324	cmd.exe	72
PID 1324 wrote to memory of 2996	1324	cmd.exe	72
PID 2996 wrote to memory of 3060	2996	net.exe	73
PID 2996 wrote to memory of 3060	2996	net.exe	73
PID 2996 wrote to memory of 3060	2996	net.exe	73
PID 2848 wrote to memory of 3504	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	74
PID 2848 wrote to memory of 3504	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	74
PID 2848 wrote to memory of 3504	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	74
PID 3504 wrote to memory of 3900	3504	cmd.exe	76
PID 3504 wrote to memory of 3900	3504	cmd.exe	76
PID 3504 wrote to memory of 3900	3504	cmd.exe	76
PID 3900 wrote to memory of 3396	3900	net.exe	77
PID 3900 wrote to memory of 3396	3900	net.exe	77
PID 3900 wrote to memory of 3396	3900	net.exe	77
PID 2848 wrote to memory of 1972	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	78
PID 2848 wrote to memory of 1972	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	78
PID 2848 wrote to memory of 1972	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	78
PID 1972 wrote to memory of 4052	1972	cmd.exe	80
PID 1972 wrote to memory of 4052	1972	cmd.exe	80
PID 1972 wrote to memory of 4052	1972	cmd.exe	80
PID 4052 wrote to memory of 4048	4052	net.exe	81
PID 4052 wrote to memory of 4048	4052	net.exe	81
PID 4052 wrote to memory of 4048	4052	net.exe	81
PID 2848 wrote to memory of 3872	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	82
PID 2848 wrote to memory of 3872	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	82
PID 2848 wrote to memory of 3872	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	82
PID 3872 wrote to memory of 3204	3872	cmd.exe	84
PID 3872 wrote to memory of 3204	3872	cmd.exe	84
PID 3872 wrote to memory of 3204	3872	cmd.exe	84
PID 2848 wrote to memory of 3320	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	87
PID 2848 wrote to memory of 3320	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	87
PID 2848 wrote to memory of 3320	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	87
PID 3320 wrote to memory of 1756	3320	cmd.exe	89
PID 3320 wrote to memory of 1756	3320	cmd.exe	89
PID 3320 wrote to memory of 1756	3320	cmd.exe	89
PID 2848 wrote to memory of 100	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	91
PID 2848 wrote to memory of 100	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	91
PID 2848 wrote to memory of 100	2848	3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe	91
PID 100 wrote to memory of 204	100	cmd.exe	93
PID 100 wrote to memory of 204	100	cmd.exe	93
PID 100 wrote to memory of 204	100	cmd.exe	93
PID 204 wrote to memory of 2188	204	net.exe	94

C:\Users\Admin\AppData\Local\Temp\3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe
"C:\Users\Admin\AppData\Local\Temp\3b7c7a6b8bcde4a4f5ee586fea46d1bb77da42caf2d5d0d48767615e2ddef451.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:4040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2532 -ip 2532
1⤵
PID:2128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2532 -s 3224
1⤵
- Program crash
PID:3600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:560
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 560 -s 3288
  2⤵
  - Program crash
  PID:2508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 560 -ip 560
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3112 -s 4212
  2⤵
  - Program crash
  PID:3892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3112 -ip 3112
1⤵
PID:3620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 736 -s 3912
  2⤵
  - Program crash
  PID:3444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 736 -ip 736
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3736 -s 4332
  2⤵
  - Program crash
  PID:2952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 3736 -ip 3736
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3736-244-0x0000019BF8121000-0x0000019BF8122000-memory.dmp

Filesize
4KB

Download
memory/3736-245-0x0000019BF8121000-0x0000019BF8122000-memory.dmp

Filesize
4KB

Download