073c08aac5b8074c9983adfea561b7b890b80d8f928ca0666d477bc6e0fdfc87

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27c1c13cfb0052ff2db56ba9aa5716e4.exe
Size

11.7MB
MD5

27c1c13cfb0052ff2db56ba9aa5716e4
SHA1

891177feca6a3c1c2aa83d41c3157bb40fe8e7ba
SHA256

073c08aac5b8074c9983adfea561b7b890b80d8f928ca0666d477bc6e0fdfc87
SHA512

905c8e907bf70178f78ede2b572e24ccad1110772ca385cc009799d609cb1be6b26eb5e6a6803724322019f9defda24315b055706585d3e0ded3f947b15982f3
SSDEEP

196608:OoXH/9MPoP1HtnNRuZIPlIDe1o9BHPzSjFsuB33ZQIc83z+6vThrZplBst:OoXHWAP1dyZTDeIRsFsyONwDm

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Loads dropped DLL 49 IoCs

pid	Process
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe
320	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Starter\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-DL\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\WCN\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\ja\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Enterprise\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Starter\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_neutral_bbcfca39fdc02275\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ricoh.inf_amd64_neutral_66b4504d1fb1c857\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Starter\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\winrm\0409\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\sv-SE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0009\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\IME\shared\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0011\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\sysprep\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File opened for modification	C:\Windows\SysWOW64\restore\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmti.inf_amd64_neutral_4443b423d18c3ffc\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Java\jre7\lib\zi\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Media Player\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Internet Explorer\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\System\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Media Player\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Office\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Adapter\8.0.0.0__b03f5f7f11d50a3a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-raschap.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a79d8052fda7485\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..bilitycpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_526c1b84c252b23e\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000040d_31bf3856ad364e35_6.1.7600.16385_none_59d5041c6f5ea716\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wmiperf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10bf6abad040a711\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-secpriv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d97e8b3e5a4f18fd\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-logon-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_45b3bab3c484cbb1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ec212fccfcfd6bea\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usbui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5f8461ffcf3b4029\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..line-tool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_baaa6bfb2430a558\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-msctfp_31bf3856ad364e35_6.1.7600.16385_none_cab3b5905044da08\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_46b53db2105055dd\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_21f387afee4bfa5a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..idmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ff8a9baca284605a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d9bbf5b047c92e35\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_234809c32cf5e8cc\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bootres_31bf3856ad364e35_6.1.7601.17514_none_9d42c69298905ee5\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..in-appmgr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_948f9dd6df3c4588\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..input-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_15f6f88f0734008a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\servicing\it-IT\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_a38cd28420bd9947\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-instmes.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1846bdf20e840454\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..alization.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9f839041500002e5\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5487dbbef101101f\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dfd20de6a3145d99\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b558e03eab75aa2b\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4c8a512eac629d59\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_6.1.7601.17514_none_b5ac5cc3a1b7e9ef\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7cf923f66d81e6b9\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_230658042707a5d5\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-browserservice-netapi_31bf3856ad364e35_6.1.7601.17514_none_8bb36948ae5a5afc\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpeffects_31bf3856ad364e35_6.1.7601.17514_none_5773ecb6a6113d69\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d86b4b9c2cf3cdf0\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysprep.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d35a529875a2625\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..artup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba5223c7122b00e1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00010415_31bf3856ad364e35_6.1.7600.16385_none_f2700a3da3b6cb22\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..haringapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a392abf1026b979\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\msil_system.addin.contract_b03f5f7f11d50a3a_6.1.7601.17514_none_46152da9482ca76c\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a30286bcff0e8a8e\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..verytools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e65108cd3afe999\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a6c842e64642498f\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-e..tvratings.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1a581da34e145c13\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sysinfo.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f0d87aa94d6c2f9a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\000C\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_agp.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c1d2a33730aa56a6\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..networkconfigwizard_31bf3856ad364e35_6.1.7601.17514_none_daf410e92d613240\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d14e3f84a2ede2b\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v10.0\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\7a1dfc357f4135dbddcf38fd9279b2a7\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bits-proxy5_31bf3856ad364e35_6.1.7600.16385_none_0dab53ff221f4569\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_78ff7e5066a1133c\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c4aafc6c255cbd1\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..n-clients.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bdad5d9287414b5a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-b..smcnative.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3e05bdf0fe58f40a\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-timedate.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c61dacbb765a687c\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-v..virtualdiskprovider_31bf3856ad364e35_6.1.7600.16385_none_fd447bb347c0d118\recover_your_files.txt	27c1c13cfb0052ff2db56ba9aa5716e4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 320	112	27c1c13cfb0052ff2db56ba9aa5716e4.exe	21
PID 112 wrote to memory of 320	112	27c1c13cfb0052ff2db56ba9aa5716e4.exe	21
PID 112 wrote to memory of 320	112	27c1c13cfb0052ff2db56ba9aa5716e4.exe	21
PID 112 wrote to memory of 320	112	27c1c13cfb0052ff2db56ba9aa5716e4.exe	21

C:\Users\Admin\AppData\Local\Temp\27c1c13cfb0052ff2db56ba9aa5716e4.exe
"C:\Users\Admin\AppData\Local\Temp\27c1c13cfb0052ff2db56ba9aa5716e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\27c1c13cfb0052ff2db56ba9aa5716e4.exe
  "C:\Users\Admin\AppData\Local\Temp\27c1c13cfb0052ff2db56ba9aa5716e4.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI1122\setuptools-49.2.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit