ouroboros | 5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd

Analysis

max time kernel
4294110s
max time network
120s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
Size

1.3MB
MD5

516b7b7da67d36d1311350f751801e0b
SHA1

40964f706ff4ac8a8556ba8fde00c13684347057
SHA256

5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd
SHA512

cc61eb27f69cfd97cf23d87ad46df8c0042caceca2c14010c2d6e84ba9560a9b83a07c28bb404f8c32eae9b1092012412f9a7377620854ee35e1276fa2a1460a

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ApproveSearch.tiff	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files (x86)\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KV8PQJCO\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0334.DLL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NCAUC.CMB	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netathrx.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mfplat.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\rastls.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\els.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\TransferCable.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnlx003.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC20006.GPD	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IF4000.GPD	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\kscaptur.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msports.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AdapterTroubleshooter.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\raschap.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wiascanprofiles.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\AVerFx2hbtv64.sys	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7UECA.ICM	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PCLXL.DLL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNC172DD.TBL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\openfiles.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\PolicMan.mfl	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\iscsium.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\compmgmt.msc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\avmx64c.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\prnms001.Inf	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ikeext.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\hbaapi.mfl	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\rdpencom.mfl	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\nlhtml.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1000T.GPD	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{522f6bf6-ae20-0f66-d982-a746d010852a}\prnms001.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\MFC40u.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\ppdlic\feclient-ppdlic.xrm-ms	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\scansetting.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\aelupsvc.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NGJ8C.GPD	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnge001.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\rstrtmgr.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mydocs.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\SessEnv.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343\wvmbus.inf	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\mchgr.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\dc21x4vm.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Vault.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\netcfgx.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicN\license.rtf	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\display.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI4231E3.PPD	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\vsmraid.inf_loc	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\icm32.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\msxml6r.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\certreq.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\KBDYBA.DLL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\cpnotify_IBV64.ax	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\srclient.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\cxraptor.rom	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\vds.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7en.kic	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103058.WMF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\BLUECALM.INF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.[[email protected]][8W2KH6JGBRF9YC1].Spade	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\aero_working.ani	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\ReAgent.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Server-Help-Package.ClientUltimate~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Tools.Intl.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Cursors\aero_up.cur	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RacWmiProv.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.mum	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Festival\Windows Default.wav	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\itpro.h1s	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printer-Drivers-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\d7f5c5b7ad6ae9510514a279c1cb5665\PresentationFramework-SystemCore.ni.dll.aux	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\nettun.PNF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.it.resx	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\AppCompat.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\ics.h1s	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\IME\SPTIP.DLL	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Hardware Insert.wav	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.Concurrent.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\ja\Microsoft.VisualBasic.Compatibility.Data.resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Msi-FileRecovery.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~hi-IN~7.1.7601.16492.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\3.5.0.0_fr_31bf3856ad364e35\System.Web.Extensions.Design.Resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Sessions\30943406_4020139824.back.xml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\da5da08245467818759aa44c4eb948e1\System.Web.ni.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Sessions\30943406_2204841824.back.xml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\Logon.admx	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\BITS\0409\bitsctrs.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.es.resx	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\040C\idxcntrs.ini	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Fonts\8514oem.fon	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\cxfalcon_ibv64.PNF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\prnep00c.PNF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\prnky004.PNF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_fr_b77a5c561934e089\System.RunTime.Serialization.Resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\lv-LV_BitLockerToGo.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\uap.h1s	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Fonts\moolbor.ttf	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1036\cscompui.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.ja.resx	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\WindowsAnytimeUpgrade.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\EnhancedStorage.adml	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~en-US~8.0.7601.17514.mum	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_de_b03f5f7f11d50a3a\System.IO.Log.Resources.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\shgloss.h1s	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\inf\prnlx00b.PNF	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Boot\EFI\zh-TW\bootmgfw.efi.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Fonts\vgasys.fon	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationUI.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\b1309c53c740b2e181af9534078005c0\System.Net.Http.WebRequest.ni.dll	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\es-ES\bfsvc.exe.mui	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
File opened for modification	C:\Windows\Help\mui\0410\sua.CHM	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	476	WerFault.exe	26

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 1740	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	28
PID 476 wrote to memory of 1740	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	28
PID 476 wrote to memory of 1740	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	28
PID 476 wrote to memory of 1740	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	28
PID 1740 wrote to memory of 1224	1740	cmd.exe	30
PID 1740 wrote to memory of 1224	1740	cmd.exe	30
PID 1740 wrote to memory of 1224	1740	cmd.exe	30
PID 1740 wrote to memory of 1224	1740	cmd.exe	30
PID 1224 wrote to memory of 1240	1224	net.exe	31
PID 1224 wrote to memory of 1240	1224	net.exe	31
PID 1224 wrote to memory of 1240	1224	net.exe	31
PID 1224 wrote to memory of 1240	1224	net.exe	31
PID 476 wrote to memory of 540	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	32
PID 476 wrote to memory of 540	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	32
PID 476 wrote to memory of 540	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	32
PID 476 wrote to memory of 540	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	32
PID 476 wrote to memory of 836	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	34
PID 476 wrote to memory of 836	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	34
PID 476 wrote to memory of 836	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	34
PID 476 wrote to memory of 836	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	34
PID 476 wrote to memory of 560	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	36
PID 476 wrote to memory of 560	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	36
PID 476 wrote to memory of 560	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	36
PID 476 wrote to memory of 560	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	36
PID 476 wrote to memory of 1536	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	38
PID 476 wrote to memory of 1536	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	38
PID 476 wrote to memory of 1536	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	38
PID 476 wrote to memory of 1536	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	38
PID 1536 wrote to memory of 1956	1536	cmd.exe	40
PID 1536 wrote to memory of 1956	1536	cmd.exe	40
PID 1536 wrote to memory of 1956	1536	cmd.exe	40
PID 1536 wrote to memory of 1956	1536	cmd.exe	40
PID 1956 wrote to memory of 1084	1956	net.exe	41
PID 1956 wrote to memory of 1084	1956	net.exe	41
PID 1956 wrote to memory of 1084	1956	net.exe	41
PID 1956 wrote to memory of 1084	1956	net.exe	41
PID 476 wrote to memory of 392	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	42
PID 476 wrote to memory of 392	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	42
PID 476 wrote to memory of 392	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	42
PID 476 wrote to memory of 392	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	42
PID 392 wrote to memory of 1948	392	cmd.exe	44
PID 392 wrote to memory of 1948	392	cmd.exe	44
PID 392 wrote to memory of 1948	392	cmd.exe	44
PID 392 wrote to memory of 1948	392	cmd.exe	44
PID 1948 wrote to memory of 1352	1948	net.exe	45
PID 1948 wrote to memory of 1352	1948	net.exe	45
PID 1948 wrote to memory of 1352	1948	net.exe	45
PID 1948 wrote to memory of 1352	1948	net.exe	45
PID 476 wrote to memory of 1936	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	46
PID 476 wrote to memory of 1936	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	46
PID 476 wrote to memory of 1936	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	46
PID 476 wrote to memory of 1936	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	46
PID 1936 wrote to memory of 1552	1936	cmd.exe	48
PID 1936 wrote to memory of 1552	1936	cmd.exe	48
PID 1936 wrote to memory of 1552	1936	cmd.exe	48
PID 1936 wrote to memory of 1552	1936	cmd.exe	48
PID 1552 wrote to memory of 1848	1552	net.exe	49
PID 1552 wrote to memory of 1848	1552	net.exe	49
PID 1552 wrote to memory of 1848	1552	net.exe	49
PID 1552 wrote to memory of 1848	1552	net.exe	49
PID 476 wrote to memory of 1184	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	50
PID 476 wrote to memory of 1184	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	50
PID 476 wrote to memory of 1184	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	50
PID 476 wrote to memory of 1184	476	5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe	50

C:\Users\Admin\AppData\Local\Temp\5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe
"C:\Users\Admin\AppData\Local\Temp\5a8d70b92e868f4f0ffb76f242dbf83a8816f704f523202a924a913f10a247fd.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:604
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:908
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 592
  2⤵
  - Program crash
  PID:572