ouroboros | b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f

Analysis

max time kernel
4294123s
max time network
124s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
Size

994KB
MD5

c43c4e32d8f30c6c63aea0d6dc5c11cd
SHA1

93d1bc3f0b9e03a43bcf789928ac12ecdea24588
SHA256

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f
SHA512

95566d9f393e5bb9ab44834841e757eeb4c326ec454ce34e955e20b499d3ff8a5585fb91abb6ac1043fd76ad6942e447f9d36a353895a74654ce73bf74452d52

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Public\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Public\Documents\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Media\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Public\Music\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Public\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\Desktop\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Users\Public\Libraries\desktop.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 3 http://www.sfml-dev.org/ip-provider.php
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

description	flow	ioc
HTTP URL	3	http://www.sfml-dev.org/ip-provider.php

Drops file in System32 directory 64 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dmdskmgr.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dmscript.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dnscmmc.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\idndl.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\comcat.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\ctl3d32.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\DDOIProxy.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\imgutil.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\fdWCN.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\azroleui.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\diantz.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\ipsecsnp.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDIBO.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\amxread.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\cero.rs	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_20284.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\GameUXLegacyGDFs.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_1141.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\icmui.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDAZE.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDINTAM.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\mfc110chs.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_21027.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dxmasf.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\f3ahvoas.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\iac25_32.ax	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dssec.dat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDLA.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\kstvtune.ax	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\luainstall.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_10021.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_1255.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_28598.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dot3cfg.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\aaclient.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\CPFilters.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\fdeploy.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\ieuinit.inf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDTH1.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\comsvcs.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dfshim.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\eapphost.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\kanji_2.uce	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\KBDLV.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\lsmproxy.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_20000.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\mfc120ita.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_47.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\dmsynth.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\SysWOW64\C_1146.NLS	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Drops file in Program Files directory 64 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Resolute.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\splashscreen.dll.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CA.XML.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.INF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ar.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHMAIN.DLL	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.[[email protected]][FRQ2BVEM610PDW5].Spade	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Drops file in Windows directory 64 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild\Microsoft.Build.Commontypes.xsd	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\eula.rtf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\PerformanceDiagnostics.adml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\s1033.dlm	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\eca4310274a7a6ce651b33cd4278610c\UIAutomationClient.ni.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.it.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\eula.rtf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\PenTraining.adml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.es.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\778484606fe5ad8f7e93e86cb07f6078\System.Xml.Serialization.ni.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Data.Common.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Process\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Process.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.fr.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ISymWrapper.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PLA\Reports\es-ES\Report.System.Summary.xml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\fa89de41d02d50c875d6699cfe070f20\Microsoft.VisualBasic.Compatibility.Data.ni.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Cursors\no_i.cur	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\ehome\de-DE\ehdrop.dll.mui	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\ql2300.inf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Windows.Forms.Resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja\Microsoft.Transactions.Bridge.Dtc.Resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\angel64.PNF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\8e1a0ff5d2f22bb7de74bb93081c8fba\System.Web.DynamicData.ni.dll.aux	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\input.PNF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.Build.xsd	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\dgloss.h1s	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\mdmaiwat.inf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_it_31bf3856ad364e35\EventViewer.resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\hiddigi.PNF	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\umpass.inf	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_ja_b77a5c561934e089\System.RunTime.Serialization.Resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Cursors\busy_i.cur	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.xml.Resources.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0010\_Networkingperfcounters.ini	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.fr.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-Foundation-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallSqlStateTemplate.sql	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\Cpls.adml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Speech\Engines\SR\ja-JP\wp1041.bin	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.es.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1031\vbc7ui.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printer-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Cursors\busy_l.cur	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.ja.resx	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Configuration.xml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\TerminalServer.adml	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 1660 WerFault.exe b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

pid	pid_target	process	target process
1628	1660	WerFault.exe	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

NTFS ADS 53 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

description	ioc	process
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\"쀀䧸䧸ꨚ眀\:쀀消ʉ消ʉꨚ眀\:쀀浨ʉ浨ʉꨚ眀\3쀀涨ʉ涨ʉꨚ眀\3쀀淈ʉ淈ʉꨚ眀\3쀀淨ʉ淨ʉꨚ眀\3쀀済ʉ済ʉꨚ眀\3쀀渨ʉ渨ʉꨚ眀\3쀀湈ʉ湈ʉꨚ眀\3쀀湨ʉ湨ʉꨚ眀\3쀀綨綨ꨚ眀\3쀀緈緈ꨚ眀\3쀀編編ꨚ眀\3쀀縈縈ꨚ眀\3쀀縨縨ꨚ眀\3쀀繈繈ꨚ眀\Ő繨żꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\System Volume Information\5e26de02-94e2-11ec-89d5-a6ba382fb892\ꞔ眀"쀀陘阐ꨚ眀\ꞔ眀:쀀⟘⟀ꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1405931862-909307831-4085185274-1000\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ眀"쀀傐侸ꨚ眀\ꞔ眀:쀀᐀Ꮸꨚ眀\ꞔ眀:쀀ᐠᐈꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ眀"쀀稨硠ꨚ眀\ꞔ眀:쀀⟸⟠ꨚ眀\ꞔ眀:쀀ⅸⅠꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ眀"쀀傐侠ꨚ眀\ꞔ眀:쀀ᐠᐈꨚ眀\ꞔ眀:쀀ᑀᐨꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\Chrome\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1405931862-909307831-4085185274-1000\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ眀"쀀稨硸ꨚ眀\ꞔ眀:쀀⟸⟠ꨚ眀\ꞔ眀:쀀ⅸⅠꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Templates\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temporary Internet Files\WPDNSE\"쀀𸂔𸂔ꨚ眀\:쀀旸ʌ旸ʌꨚ眀\:쀀昘ʌ昘ʌꨚ眀\3쀀昸ʌ昸ʌꨚ眀\3쀀晘ʌ晘ʌꨚ眀\3쀀晸ʌ晸ʌꨚ眀\3쀀暘ʌ暘ʌꨚ眀\3쀀暸ʌ暸ʌꨚ眀\3쀀曘ʌ曘ʌꨚ眀\3쀀書ʌ書ʌꨚ眀\3쀀朘ʌ朘ʌꨚ眀\3쀀朸ʌ朸ʌꨚ眀\3쀀杘ʌ杘ʌꨚ眀\3쀀杸ʌ杸ʌꨚ眀\3쀀枘ʌ枘ʌꨚ眀\3쀀枸ʌ㘐ꨚ眀㙈	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Application Data\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ眀"쀀傐俐ꨚ眀\ꞔ眀:쀀᐀Ꮸꨚ眀\ꞔ眀:쀀ᐠᐈꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Templates\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1405931862-909307831-4085185274-1000\ꞔ眀"쀀陘镨ꨚ眀\ꞔ眀:쀀⟸⟠ꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ眀"쀀窠ʉ碨ʉꨚ眀\ꞔ眀:쀀ᒀᑨꨚ眀\ꞔ眀:쀀᐀Ꮸꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Templates\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀傐偸ꨚ眀\ꞔ眀:쀀⟘⟀ꨚ眀\ꞔ眀:쀀⟸⟠ꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Application Data\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Desktop\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Templates\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Cookies\Roaming\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\System Volume Information\5e26de02-94e2-11ec-89d5-a6ba382fb892\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Favorites\Updater6\ꞔ眀"쀀傐俨ꨚ眀\ꞔ眀:쀀᐀Ꮸꨚ眀\ꞔ眀:쀀ᐠᐈꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Desktop\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\System Volume Information\5e26de02-94e2-11ec-89d5-a6ba382fb892\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Favorites\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Templates\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Documents\Updater6\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Documents\Updater6\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\ProgramData\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Color\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Admin\Application Data\Roaming\ꞔ眀"쀀\ꞔ眀:쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\All Users\Start Menu\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\ꞔ眀"쀀傐偠ꨚ眀\ꞔ眀:쀀⟘⟀ꨚ眀\ꞔ眀:쀀⟸⟠ꨚ眀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
File opened for modification	C:\Users\Default\Application Data\Roaming\ꞔ眀"쀀\ꞔ眀:쀀	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

pid	process
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1660 wrote to memory of 1764	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1764	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1764	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1764	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1764 wrote to memory of 520	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 520	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 520	1764	cmd.exe	net.exe
PID 1764 wrote to memory of 520	1764	cmd.exe	net.exe
PID 520 wrote to memory of 580	520	net.exe	net1.exe
PID 520 wrote to memory of 580	520	net.exe	net1.exe
PID 520 wrote to memory of 580	520	net.exe	net1.exe
PID 520 wrote to memory of 580	520	net.exe	net1.exe
PID 1660 wrote to memory of 680	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 680 wrote to memory of 1824	680	cmd.exe	net.exe
PID 680 wrote to memory of 1824	680	cmd.exe	net.exe
PID 680 wrote to memory of 1824	680	cmd.exe	net.exe
PID 680 wrote to memory of 1824	680	cmd.exe	net.exe
PID 1824 wrote to memory of 432	1824	net.exe	net1.exe
PID 1824 wrote to memory of 432	1824	net.exe	net1.exe
PID 1824 wrote to memory of 432	1824	net.exe	net1.exe
PID 1824 wrote to memory of 432	1824	net.exe	net1.exe
PID 1660 wrote to memory of 1204	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1204	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1204	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1204	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1204 wrote to memory of 1644	1204	cmd.exe	net.exe
PID 1204 wrote to memory of 1644	1204	cmd.exe	net.exe
PID 1204 wrote to memory of 1644	1204	cmd.exe	net.exe
PID 1204 wrote to memory of 1644	1204	cmd.exe	net.exe
PID 1644 wrote to memory of 1208	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1208	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1208	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1208	1644	net.exe	net1.exe
PID 1660 wrote to memory of 1488	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1488	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1488	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1488	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	net.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	net.exe
PID 836 wrote to memory of 1892	836	net.exe	net1.exe
PID 836 wrote to memory of 1892	836	net.exe	net1.exe
PID 836 wrote to memory of 1892	836	net.exe	net1.exe
PID 836 wrote to memory of 1892	836	net.exe	net1.exe
PID 1660 wrote to memory of 1912	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1912	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1912	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1912	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1912 wrote to memory of 1244	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 1244	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 1244	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 1244	1912	cmd.exe	net.exe
PID 1244 wrote to memory of 868	1244	net.exe	net1.exe
PID 1244 wrote to memory of 868	1244	net.exe	net1.exe
PID 1244 wrote to memory of 868	1244	net.exe	net1.exe
PID 1244 wrote to memory of 868	1244	net.exe	net1.exe
PID 1660 wrote to memory of 1312	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1312	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1312	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe
PID 1660 wrote to memory of 1312	1660	b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe
"C:\Users\Admin\AppData\Local\Temp\b909408a7f5be6fa466071bafc0949c092ee53a655a83cc28a6f633eb4d9d45f.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    PID:1344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:872
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 240
  2⤵
  - Program crash
  PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download