lockfile | f70006713d13499db25cb78e7831a300457f83248cc8a245de67b180c607713e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Size

1.8MB
MD5

a47562ddb085ab39b821c1d8ab078edf
SHA1

0d4e8e5549105ee8527c058dce6c390616ad14a3
SHA256

f70006713d13499db25cb78e7831a300457f83248cc8a245de67b180c607713e
SHA512

18b3ff273024fdd98f2eacc9825316a97ae9809d127ae4d16a6613a9093fa94804c736cdb4edef814ef76c92a2f8c5b640ce4d2b7b76e339fe581667189a29f7
SSDEEP

24576:dnA1KgRYWHEvtd8LHhFJpxjMnA1KgRYWHEvtd8LHhFJpxjJ:m1K5ve1K5v

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile
Renames multiple (1097) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 7 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops startup file 1 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasic\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\Add_a_device_or_computer_to_a_network_usb.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\XPSViewer\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\EP0SBT00.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasServer-MigPlugin\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql40xx.inf_amd64_neutral_77a826e5c0a07842\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicE\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_neutral_386661b46df6da3f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3600t.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\IME\shared\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0014\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateN\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\MigApp.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hnpchkmpcejmpbeh.bmp"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops file in Program Files directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Windows NT\Accessories\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops file in Windows directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-dfsui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_51c8fed88c8e60c9\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..ruetype-plantagenet_31bf3856ad364e35_6.1.7600.16385_none_47246d9331e672af\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tconfigui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2af0d848ad52e8fc\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\cbb4f480c352330ac27703c88c325102\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_prnin002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_723fbddbd06f9d9d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shgina.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0c89ee2440f1c83e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cipher.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2ad81c37c8b2d579\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpl7700t.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-netapi_31bf3856ad364e35_6.1.7601.17514_none_0bc8278396499fd1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-audio-dmusic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62a4a660551070f7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0773dfff86ec05f8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-fax.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4edc0ef992cd291d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da72f5ce3701dc1f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7600.16385_none_d1346e9948c064db\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_ja_b03f5f7f11d50a3a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ffb4f54190f8ceba\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.1.7600.16385_none_7bbac4fb9c3625c6\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d057f90b91b6b1f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..coreinstrumentation_31bf3856ad364e35_6.1.7600.16385_none_5c5b3d3cf793517b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sstext3d.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5626780fc684f08\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_prnlx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b09707cd8bcb5571\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcstore\67c2902f53638a9056174f6130a8bde7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-qwave.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f55efd9e512ef9f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_it-it_f8991f7ac69b7211\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000407_31bf3856ad364e35_6.1.7600.16385_none_5034eb58b0939d56\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_lv-lv_78d638193a788fc5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_6.1.7600.16385_none_cfa2188b8e2b7460\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_prnky005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3618853d71ecb116\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..igbackend.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18db329f47f1dede\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tpm-tbs-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1015113591b29ad5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\inf\aspnet_state\001F\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bea9fe0db5a8675c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_1067418722f484a3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.rsop.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f2be05771884bd72\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_ccd1c51fc6ac7e26\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-xpsifilter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11230658aca32020\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_netfx-mscorsn_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_6adff9151d65c2d5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-ms_serif_31bf3856ad364e35_6.1.7600.16385_none_2670fbc842c5cd2f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1409bffe3d7d822\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tion-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_843505044e632a49\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_it_31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..xperience.resources_31bf3856ad364e35_6.1.7600.16385_it-it_87f448089767c84d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_f230138205aebc59\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\msil_microsoft.security...ionwizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05e68920d136758f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\msil_microsoft.windows.smc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afe6b6337c288414\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\msil_system.web.abstractions.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_55d5614ac934fcac\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_fr_b77a5c561934e089\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_v_mscdsc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ddbef999316e22d8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_wcf-system.io.log_b03f5f7f11d50a3a_6.1.7600.16385_none_6747ad3062edf0b3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_server-help-h1s.itpro.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e44198af5e65ec78\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_62a14f86602a99f5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cpfilters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8472b0ec467fd631\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-jscript9.resources_31bf3856ad364e35_11.2.9600.16428_en-us_c41240c98d1ec221\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aeae15a0d7fc043a\gadget.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59a756fabb56ede3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dskquota.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5cf9a5db794cb010\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e566a189254450cd\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7601.17514_none_7ec36f4d129aab09\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_umpass.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2587d188972e129d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\diagnostics\system\Device\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directx-directinput_31bf3856ad364e35_6.1.7600.16385_none_798d0be3255fc46e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f690a24db584a4bb\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Modifies registry class 10 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE\ = "BPFYNFHUWPHNSDE"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\ = "CRYPTED!"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe,0"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt

Filesize
630B

MD5
97d61dd38158163712ff1f93b02185dc

SHA1
aeeff9e4e9c82b7093cb222e038c1a6fcfcf06a3

SHA256
87c7671f844922e5d75372ff60271462c1f19105dce05c36a49bcbb6f93284d9

SHA512
23b9a3da5c54e3528e79ef2529619e9a3828eb049baa59a0f67c6102179f134fcde03f30d8d36b2078e89fd6a28fc107a9c03814cd0ceb32e70495f36eb1655d

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

Filesize
39KB

MD5
336688dcdf952ace69dfc204415d8273

SHA1
19e958a02aface3727c9de307f713a40c20ad3e7

SHA256
c7f0ae450811a4786c007f88097da6120b1ec506286e9a5875624987d195831e

SHA512
2bf303045f2be9475b9458ba79cecb8ee0aaa5fac0b822e54d4b3c2ef8ccfe5f4ed4c00c30744f171635e526df32588a681cbda056c1061f720beecdc5b3f64c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
ff592bc169552829773d00d09875ea30

SHA1
647881352b484e6d263d65b7f13b0a610ea7ea3b

SHA256
51e0ea20015ff9a344b8cd07c79a6d2ffbf8f6bc6a6dd0a91952b2528abdd2d7

SHA512
02aa598647a87f3ab8e95dba9c29f7f1fa8d4c9bf168b8004671e78afebdfcdb828acaaf599201597fe94bad83a66bc8b94b27a62b1daa3c3bcbcc75a8e8076b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
b4bd9236ebd2106184de8d1d866df857

SHA1
e652e837c39ac98d2e3162e11d4c93bd6e7c7761

SHA256
4c046a1e5d6c76fdfa7592bfc104a8667d72ef62d962742845043da7c7290e91

SHA512
2feff093ce211e1e6068947a7f2bf0368d3d7ce36e52366f21f6c542e422c5e68b3536f8618c3c4c96133c10cb9ea588b55d32fe56052c4a5e7f81e67b937450

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
092dfc02d4a10ba133d8d32ec96f5a5f

SHA1
e9aefa4fdc1d0494c8914c55f3f23debf02d2b7e

SHA256
7079605fc6865f78b9ac9d6ff2c8611fa0804213adf9f628cd065e8df92eb89c

SHA512
694f47c6cd12c070e68e82f74cdd4d3e233bcfb9d4bc2d757cb81a2a67c46c29095f078917681ccb327e3c03f577f280e33d697b5f4ffa4a40b8cd51cacb60bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
6ca80853ad63c3339a3e86f0032c366a

SHA1
f289a7affb66e23f21261f21b603f386d72c86fd

SHA256
58b2aa242e7c29fa3369b83ad415d3fc309c761c2ea47506a692886f4e58ae52

SHA512
a26f9c0c0f2d11826985672ef4333177664601c31a81cc3bcb4ca99bb0e1837d991983ab8685f222777375cd58a53a086cd8f0b3d5e42e41ce70260470359674

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
a872098140c349bda5a42936de3c4a7d

SHA1
d1f4923183c746b1f42e2906973d0b461d177570

SHA256
132d6d5bfbec90d71a799d84873f229b3c814cd3d3e272f18fd1bd9c107b39b3

SHA512
92885a56ca9d086369e929e174b24bf29d584e6b1ece54a1b9ed709dbf2c519fe17bd927c5fa396ac403461a272da2743995a97cab5eb8e5e9a7850f69916906

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
807B

MD5
5f82b0c82bdad0e11e88f51f05355f7d

SHA1
580947de3df7699d7dbe92ebad7843b51c3f3856

SHA256
6c95514629cd959497f67c94218163202d04c73dbef409f9b14a8826228ba925

SHA512
d0ecb309b1fa4bc6ab5de4985deb1661304993991a37b2987cac1dfe40074f2596e07dc756f043a8d67eac5e4dfc587b784edfa06432bd111158fc19c4099c8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
806B

MD5
748a8d140d5194966a250e950d40f441

SHA1
bb586c7edc77bd3887c7e446358c11e4e97174ab

SHA256
e6cbc3509610aa7c637d7d4f83c54be92a918ff4d65fcebea5a1201c1526c57f

SHA512
aef089ce611126d81c85127ac2df2cc981f7b46978b162e391966902f154e8a876fc4d93468e14add06fffaf75506f767205163574ad4efe46c5431ab506c26e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
317B

MD5
5a0b4dd3d8f6fdf54103fd0001816f63

SHA1
a988ebbe0d7c2c876680defbd253b1975457fc7d

SHA256
f3f39acd473189ab9295d2dcf2e6197ba0ab850a82c4aa1ade5592ce1892c38a

SHA512
6bd930896090b729ba992d21481c200cde2177a9dbcd5b7444356d694557f5ee518264f232fff6316fe6f824c1e107c54c330e3823e9f811a39e36f5c0b30d12

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
82c6ac5e46c85206837e131eddfddd83

SHA1
034737421748e5bfafd4e854534f3ad9fc9770c7

SHA256
55cf8a93e707fb1962dcc46766d7c5f0f71b64f332a6117118f94d7cb95ff322

SHA512
914b0c8f1d06e3b0b8c00bda75f227ed3864d048c2f69f0a331cbecef925ce68705afc53cdd041e430ccda931fd2605f5dc579ffe8beaa0acffdf4c51b162eb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
bbef149c3dcde06a394ba512422af3a9

SHA1
34b0e982f4d5d731de39b322d4824b6af6472627

SHA256
f4097368dc6b67514f2991640d563bb52fc01c7fcda1c29566b9ed7208954cd2

SHA512
595989ecf2d2bea0939dbf57faaa3bfb690166c17fb1d1da27b58871d54b3209d71c6e5489e983e5d6d3ad05fd97bf847a6e11bc9cbc9fcfc9535818b07e08be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
9ceb184e2a266d3bd7ee49d69f60c0b1

SHA1
85d584f08463901541033025c42cdc2d718f0bf6

SHA256
b7e00794735ca81c2966cc03e93b5880504c98764ad9af3bd273c48c684218c5

SHA512
f9f46dad610a9b033300c22a8373d30165cdfb3175800c4837232f98c6fbcc843b8666b6c3ae313931457b0576b1891cd3a2f9437aa68933d70d52a3751463b6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
bd6fc9ca96698344936b22ccef4ba428

SHA1
49fc5c771601ed5e3897908cf8b83b546821a6be

SHA256
1003f1a53667e28e7952335498bdedd3377eae435189df01235b6602a5654823

SHA512
095c01770b4f4e9f9fcb29c0ce290043f5c1de9c7b9767e7dd889aa25f3c103ac2dc8de5258a639aea477f649aaeb14687767a9912d6326503019369a1ed8ba6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
546aaf9ef3bd5a5d57584730e8aa12da

SHA1
009188fede09461fdeb7b7138bd47b4bce60a6c2

SHA256
fdd0d7552e874aa61d24a097fd9c297616d4e0ef684906a17c8c9425bed52c00

SHA512
5d6fd8a6332055afa3fcbc74a08638184bd322fc0d3da5180314438a6eb6e120b5d09c9fa0b89cea949a562522b16b9b7d49fa9a30438f0501a589c1d2f7bd2c

Download Submit