Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 04:19
Behavioral task
behavioral1
Sample
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe
Resource
win10v2004-20221111-en
General
-
Target
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe
-
Size
7KB
-
MD5
33755784b9128aabea98a2d4f0bebb86
-
SHA1
4e327c4deae1ca7199408dd3e33ee7feb692b6b0
-
SHA256
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a
-
SHA512
1eecab22c39d01d57026136a398dc3f8369c0830821de6aa95b60ade277f91079f5fc0bcd2f589f8c2e362a4803108ea388d1e5ab190a359d0ae1caf1273bd4b
-
SSDEEP
192:gzdrr1FG1WDCgmjPZpO3GQ3aVAzMeisDUA:gprr1gkDCgSBQ39zMvsDB
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4288-132-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral2/memory/4288-133-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 7 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Processes:
resource yara_rule behavioral2/memory/4288-132-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/4288-133-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mB3Tew2BDFbEH1s.exe" 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Drops file in System32 directory 64 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\winrm\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_image.inf_amd64_31731e48047fa274\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_a85c8e1fe15a9532\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisuio.inf_amd64_6096fd74a67ccd5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\nl-NL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\slmgr\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\Configuration\BaseRegistration\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fscompression.inf_amd64_2aa5f249d7ee104a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sensor.inf_amd64_b8789b63cc1d26b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sslaccel.inf_amd64_ed6849ad81a24c48\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\hr-HR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\lv-LV\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\slmgr\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MMAgent\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_diskdrive.inf_amd64_1debcd2bd95e9c0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_extension.inf_amd64_7891c7d003f5e96b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_volume.inf_amd64_a2da2b286ed77704\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0005\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_hidclass.inf_amd64_b37df5bd0922aeef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\hidcfu.inf_amd64_409fe85a7af72672\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_055d85baabbda8f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_c5ee07feb8dae038\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\storfwupdate.inf_amd64_e57f4de14d125fac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\icsxml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\ehstortcgdrv.inf_amd64_5cb0c23f45dac01c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_e485f7ac03009434\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_3ca4b12cda56232e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\Com\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_firmware.inf_amd64_36e4e17f210128ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_64035dd8a7571ba7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid4.inf_amd64_65ab84e9830f6f4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\tpmvsc.inf_amd64_9b03a5f041e8d2b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\slmgr\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\Speech_OneCore\Engines\TTS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\c_battery.inf_amd64_5637e58e54fb24bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\sdflauncher.inf_amd64_1ea082c6cf8f6982\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SysWOW64\cs-CZ\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_ced441476847bd1a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process File created C:\Program Files\Java\jre1.8.0_66\lib\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\IDPValueAssets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\Windows Multimedia Platform\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Drops file in Windows directory 64 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_amdsbs.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_8078ca9d04cdbac0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput\v4.0_10.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\EventViewer.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_bth-cpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_165687f3449ded80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\diagnostics\system\Speech\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.Resources\3.5.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\INF\TAPISRV\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Boot\PCAT\sr-Latn-RS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\3082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\emulation\remote\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_acpipagr.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_247024ce39eb08c4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Control\ProgressRing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\diagnostics\system\Printer\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Globalization\Time Zone\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\INF\.NETFramework\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\OfflineTabs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_amdi2c.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_9253f1bbb4830435\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\802109be4d2ce39859ded54bbe541811\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.dynamic.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_bth.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_658be91b2a3653e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Uev.ManagedAgentWmi.WinRT\v4.0_10.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\WinSxS\amd64_adp80xx.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c30de1bd42c3322\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\e7dd774251db1abf49179f2d4e109684\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe -
Modifies registry class 10 IoCs
Processes:
05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "MQISXQQKMIDJKVK" 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\ = "CRYPTED!" 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\DefaultIcon 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mB3Tew2BDFbEH1s.exe,0" 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\shell 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\shell\open 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mB3Tew2BDFbEH1s.exe" 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MQISXQQKMIDJKVK\shell\open\command 05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe"C:\Users\Admin\AppData\Local\Temp\05d0be6bbf2ce6d8b29a257629e071836290cf2a83e16641cf08ba5378317f9a.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4288