ouroboros | bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f

Analysis

max time kernel
70s
max time network
124s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
Size

987KB
MD5

15f32a4ee7b75aefa308866b4bd79539
SHA1

e106a83bf1a5bf23fde2ee2669a580ccd7104f8b
SHA256

bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f
SHA512

3b5f7bbe45b382f0ef15376a92597bca15a6f4b9d3ccba097b588ad6568f1aecd7cf58431045b34359860da8ac17b64deb678597010b423150c63f656d7ff199

Score

10^/10

ouroboros evasion ransomware spyware stealer

Malware Config

Signatures

Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
ransomware ouroboros
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\SystemData\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\SystemData\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-369956170-74428499-1628131376-1000\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\$Recycle.Bin\S-1-5-21-369956170-74428499-1628131376-1000\desktop.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	25	http://www.sfml-dev.org/ip-provider.php

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\logo.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-200.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\DashboardDefaultThumbnail.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\vccorlib140_app.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2016-05.gif	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-white.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Jack_Of_All_Trades_.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-100.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\LICENSE.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Solid.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_32x32x32.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\traintracksplit.3mf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\msvcr100.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pt_60x42.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\ui-strings.js	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-white.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Nose.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Packaging.RichJPG.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak.Email=[[email protected]]ID=[GKW2H1F7UQ8C9NV].odveta	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\palabi.ttf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\seguibli.ttf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_PrintJobsStuck.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Help\mui\0407\sqlsodbc.chm	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\VF_BTRadioOff.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupPenWorkspace.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsPageAccountsEmailApp.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\c_fshsm.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Cursors\arrow_rl.cur	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\GARAIT.TTF	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\prntscl3.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Resources.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Start_StoreRecentlyOpenedItems.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\smalle.fon	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_ja_b77a5c561934e089\System.Windows.Forms.Resources.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU\memtest.exe.mui	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Cursors\move_l.cur	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_SamplingRate.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_Settings_DeveloperModeGroup.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_VirtualDesktops_TaskbarFilter.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\wfcvsc.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\Classic_{9BA8A9A5-F1C1-4F09-AE9A-EFEAA5961BE3}.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\3a1c5bdebf680c2384cf61e79d1d8ab4\Microsoft.PowerShell.Activities.ni.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\ebrimabd.ttf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\mdmati.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\a66c961b1bb52016549ac90b0cf542d0\Microsoft.WSMan.Runtime.ni.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\UsbCore\fr-FR\CL_LocalizationData.psd1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\es-ES\notepad.exe.mui	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Help\mui\040C\msdasc.chm	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\mdmtdkj7.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\scmbus.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI.resources\3.0.0.0_ja_31bf3856ad364e35\PresentationUI.resources.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\en-US\CL_LocalizationData.psd1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsUpdate\es-ES\CL_LocalizationData.psd1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\mdmsun2.inf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\413917c2dcc9efe08ab51707dd3bae1a\Microsoft.Isam.Esent.Interop.Wsa.ni.dll.aux	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_UpdateDriver.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\CortanaSettings.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_de_31bf3856ad364e35\WindowsBase.resources.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Boot\Fonts\meiryon_boot.ttf	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_4_NetworkAdapter.xml	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\RC_BITSACL.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\81a84d13e20c1f8d833f976f56451043\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_l.cur	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Taskbar_Help.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\ja-JP\DiagPackage.dll.mui	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\coue1255.fon	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\INF\hidbth.PNF	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Boot\PCAT\lt-LT\bootmgr.exe.mui	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\3d9f990f784ba969dae920d959d40963\MMCFxCommon.ni.dll	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_CheckPermissions.ps1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AAA_SystemSettings_Display_Orientation.settingcontent-ms	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\DiagPackage.diagpkg	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\es-ES\CL_LocalizationData.psd1	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\en-US\DiagPackage.dll.mui	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Windows\Fonts\85855.fon	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-369956170-74428499-1628131376-1000\8:（Ĝɱp.in	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\:<伀ĠɱA86-	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3752	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	69
PID 3376 wrote to memory of 3752	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	69
PID 3376 wrote to memory of 3752	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	69
PID 3752 wrote to memory of 528	3752	cmd.exe	71
PID 3752 wrote to memory of 528	3752	cmd.exe	71
PID 3752 wrote to memory of 528	3752	cmd.exe	71
PID 528 wrote to memory of 4064	528	net.exe	72
PID 528 wrote to memory of 4064	528	net.exe	72
PID 528 wrote to memory of 4064	528	net.exe	72
PID 3376 wrote to memory of 4008	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	73
PID 3376 wrote to memory of 4008	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	73
PID 3376 wrote to memory of 4008	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	73
PID 4008 wrote to memory of 4084	4008	cmd.exe	75
PID 4008 wrote to memory of 4084	4008	cmd.exe	75
PID 4008 wrote to memory of 4084	4008	cmd.exe	75
PID 4084 wrote to memory of 3192	4084	net.exe	76
PID 4084 wrote to memory of 3192	4084	net.exe	76
PID 4084 wrote to memory of 3192	4084	net.exe	76
PID 3376 wrote to memory of 4300	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	77
PID 3376 wrote to memory of 4300	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	77
PID 3376 wrote to memory of 4300	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	77
PID 4300 wrote to memory of 4188	4300	cmd.exe	79
PID 4300 wrote to memory of 4188	4300	cmd.exe	79
PID 4300 wrote to memory of 4188	4300	cmd.exe	79
PID 4188 wrote to memory of 4160	4188	net.exe	80
PID 4188 wrote to memory of 4160	4188	net.exe	80
PID 4188 wrote to memory of 4160	4188	net.exe	80
PID 3376 wrote to memory of 4396	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	81
PID 3376 wrote to memory of 4396	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	81
PID 3376 wrote to memory of 4396	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	81
PID 4396 wrote to memory of 4452	4396	cmd.exe	83
PID 4396 wrote to memory of 4452	4396	cmd.exe	83
PID 4396 wrote to memory of 4452	4396	cmd.exe	83
PID 4452 wrote to memory of 4472	4452	net.exe	84
PID 4452 wrote to memory of 4472	4452	net.exe	84
PID 4452 wrote to memory of 4472	4452	net.exe	84
PID 3376 wrote to memory of 4328	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	85
PID 3376 wrote to memory of 4328	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	85
PID 3376 wrote to memory of 4328	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	85
PID 4328 wrote to memory of 2792	4328	cmd.exe	87
PID 4328 wrote to memory of 2792	4328	cmd.exe	87
PID 4328 wrote to memory of 2792	4328	cmd.exe	87
PID 2792 wrote to memory of 4492	2792	net.exe	88
PID 2792 wrote to memory of 4492	2792	net.exe	88
PID 2792 wrote to memory of 4492	2792	net.exe	88
PID 3376 wrote to memory of 4504	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	89
PID 3376 wrote to memory of 4504	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	89
PID 3376 wrote to memory of 4504	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	89
PID 3376 wrote to memory of 3096	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	91
PID 3376 wrote to memory of 3096	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	91
PID 3376 wrote to memory of 3096	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	91
PID 3376 wrote to memory of 700	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	93
PID 3376 wrote to memory of 700	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	93
PID 3376 wrote to memory of 700	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	93
PID 3376 wrote to memory of 444	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	95
PID 3376 wrote to memory of 444	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	95
PID 3376 wrote to memory of 444	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	95
PID 444 wrote to memory of 1176	444	cmd.exe	97
PID 444 wrote to memory of 1176	444	cmd.exe	97
PID 444 wrote to memory of 1176	444	cmd.exe	97
PID 1176 wrote to memory of 1264	1176	net.exe	98
PID 1176 wrote to memory of 1264	1176	net.exe	98
PID 1176 wrote to memory of 1264	1176	net.exe	98
PID 3376 wrote to memory of 1324	3376	bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe	99

C:\Users\Admin\AppData\Local\Temp\bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe
"C:\Users\Admin\AppData\Local\Temp\bf51b9a34c195241c646a4088607e1db7079e56fe733a206ae34c70ecfd8ca1f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:4752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads