lockfile | f70006713d13499db25cb78e7831a300457f83248cc8a245de67b180c607713e

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Size

1.8MB
MD5

a47562ddb085ab39b821c1d8ab078edf
SHA1

0d4e8e5549105ee8527c058dce6c390616ad14a3
SHA256

f70006713d13499db25cb78e7831a300457f83248cc8a245de67b180c607713e
SHA512

18b3ff273024fdd98f2eacc9825316a97ae9809d127ae4d16a6613a9093fa94804c736cdb4edef814ef76c92a2f8c5b640ce4d2b7b76e339fe581667189a29f7
SSDEEP

24576:dnA1KgRYWHEvtd8LHhFJpxjMnA1KgRYWHEvtd8LHhFJpxjJ:m1K5ve1K5v

Score

10^/10

lockfile ransomware spyware stealer

Malware Config

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile
Renames multiple (507) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 7 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops startup file 1 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\smrvolume.inf_amd64_9a3d52a168ca8fee\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\idtsec.inf_amd64_9321d33f1997dbfd\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_efb36fdc260e8bc8\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsynth3dvsc.inf_amd64_1a08a3b6cd493e1f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\fr\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\ar-SA\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\winrm\0411\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_72258921635be994\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\Dism\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_16fbf6520a254fad\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\MUI\0409\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_extension.inf_amd64_7891c7d003f5e96b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_d5fc5f7282c9bafb\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\Speech\Engines\TTS\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_d3a88fe647d71206\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_06bc8afcd2617abf\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\IME\IMEKR\APPLETS\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_efffb8c026d3abc5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wmiacpi.inf_amd64_4ab67656039b026b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\fr\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\es-ES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_220e4fad6c84d016\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_76fb27776958e530\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_d677afecc5e43162\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\en-GB\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\de-DE\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_nettrans.inf_amd64_b6d30279f382fa4b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_linedisplay.inf_amd64_a720ddb820f10790\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_9f214efed426c12a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrgl.inf_amd64_19bd1d6c2b642b6f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_cashdrawer.inf_amd64_a648ee708660440c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops file in Program Files directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxManifest.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinFormsMathQuiz.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-125.jpg	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-LTR.jpg	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Drops file in Windows directory 64 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-holosi-desktop_31bf3856ad364e35_10.0.19041.264_none_d31605ebc4ac5ad1\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..pc-mathinputcontrol_31bf3856ad364e35_10.0.19041.746_none_6056b3bf0aef1a0c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2cdb8a07271f2a87\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-propsheet_31bf3856ad364e35_10.0.19041.746_none_fbd1acf77c7e8ac8\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..rience-program-data_31bf3856ad364e35_10.0.19041.264_none_4f49f316e1e9e24b\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ifier-xdv.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e11772d74888b4df\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmpshell_31bf3856ad364e35_10.0.19041.1_none_c1b8673be4ac572f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e-runtime.resources_31bf3856ad364e35_10.0.19041.1_es-es_005f51d360ae9f43\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..l-library.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1fd38ef597aca6d1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.610_none_d94fa044111e8308\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..extension.resources_31bf3856ad364e35_10.0.19041.1_it-it_2d7286fb5d9f709c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coreshell_31bf3856ad364e35_10.0.19041.264_none_1fd47893ba1e50dd\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_26ae8647562ae5ff\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-controls.resources_31bf3856ad364e35_11.0.19041.1_es-es_9796fd25c24189a3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wusa.resources_31bf3856ad364e35_10.0.19041.1_de-de_772bd021fa226749\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_10.0.19041.1202_none_56928cb8263ea1bc\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-coretipjpnprofile_31bf3856ad364e35_10.0.19041.844_none_ca25fb15912e9418\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..es-smartcards-winrt_31bf3856ad364e35_10.0.19041.746_none_282a458c09a25989\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.19041.1_da-dk_33cbe84769454035\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_10.0.19041.746_none_af27db7894cefc18\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..onssettingshandlers_31bf3856ad364e35_10.0.19041.746_none_5e11b383da65f363\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-help-credits.resources_31bf3856ad364e35_10.0.19041.1_en-us_645dce7b83803912\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncrypt.resources_31bf3856ad364e35_10.0.19041.1_de-de_d6fa380a06f7dc67\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wininit-mof.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_573e4543e4139a9a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_es_31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_dual_c_processor.inf_31bf3856ad364e35_10.0.19041.1_none_de78e0620ee202eb\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devices-lowlevel-winrt_31bf3856ad364e35_10.0.19041.264_none_0852b5eb9c988a9d\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9d4111d99a4c2411\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mmsys.resources_31bf3856ad364e35_10.0.19041.1_it-it_48db1b368bd6ab4e\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkprofile_31bf3856ad364e35_10.0.19041.906_none_56bfdfa2d4d49724\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File opened for modification	C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\SystemResources\Windows.Foundation.Diagnostics.ErrorDetails\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_dual_tdibth.inf_31bf3856ad364e35_10.0.19041.1_none_db278b776058dc9a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_10.0.19041.1_es-es_837f50ec1ac3b86c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ents-mdac-ado15-dll_31bf3856ad364e35_10.0.19041.264_none_f4672dbb03e8cb07\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msmq-triggers-runtime_31bf3856ad364e35_10.0.19041.746_none_371e9f62a4194eb2\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..repairbde.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5dd1459e7e748169\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.423_en-us_c99b855b8edbac2b\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_windows-gaming-prev..esenumeration-winrt_31bf3856ad364e35_10.0.19041.746_none_2bbb54816cbc0b6a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.19041.746_none_f4142d9bba162d05\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_b0feb06b14107c04\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_es-es_48e80aba2573bec1\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.546_none_eaefe316bbff74b2\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devicecenter_31bf3856ad364e35_10.0.19041.746_none_90b2aaec923e877b\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a0c68282f1d48a8a\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-adminmmc_31bf3856ad364e35_10.0.19041.1_none_9da8f6be034114e3\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_wvmbushid.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_9422beb194a94204\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..urces-applicability_31bf3856ad364e35_10.0.19041.1_none_f4d32023b58d3ba5\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-f..mutilityrefslibrary_31bf3856ad364e35_10.0.19041.1_none_bc3e8d1622d4f872\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_dual_wvpci.inf_31bf3856ad364e35_10.0.19041.1_none_1f444c4add774c0c\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_he-il_ff5d4bd40ea89496\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-japanese-dictapi_31bf3856ad364e35_10.0.19041.844_none_aa528d4e74431172\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..nosticsframeworkapi_31bf3856ad364e35_10.0.19041.746_none_133fa5a93e4dd152\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..calaccountmigplugin_31bf3856ad364e35_10.0.19041.746_none_bd71aec15d49459b\f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_10.0.19041.1023_en-us_851ee7fd5d26f8f7\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_10.0.19041.546_none_946b321b2260f332\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..-activesyncprovider_31bf3856ad364e35_10.0.19041.1_none_7fb0c524ca84ff0f\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cmi_31bf3856ad364e35_10.0.19041.746_none_87c79514b95a235e\r\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
File created	C:\Windows\WinSxS\amd64_netrasa.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_c3edaa7223003a51\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

Modifies registry class 10 IoCs

Processes:

VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.LOCKFILE\ = "BPFYNFHUWPHNSDE"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe,0"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\ = "CRYPTED!"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BPFYNFHUWPHNSDE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u08hwRO9h74aYk9.exe"	VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a47562ddb085ab39b821c1d8ab078edf.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\ÄÅÁËÎÊÈÐÎÂÊÀ ÔÀÉËÎÂ.txt

Filesize
630B

MD5
97d61dd38158163712ff1f93b02185dc

SHA1
aeeff9e4e9c82b7093cb222e038c1a6fcfcf06a3

SHA256
87c7671f844922e5d75372ff60271462c1f19105dce05c36a49bcbb6f93284d9

SHA512
23b9a3da5c54e3528e79ef2529619e9a3828eb049baa59a0f67c6102179f134fcde03f30d8d36b2078e89fd6a28fc107a9c03814cd0ceb32e70495f36eb1655d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
340KB

MD5
5f08f9df18f64da4f044bad065818000

SHA1
e9325b3aad6fb618de8be9b4a5beb46380cfcb56

SHA256
e2834020cb008ae22e83b2bf7c684e46e595d4a00383dc751d2564363f3a529a

SHA512
f2a65faff709487a33131107de3972e9e46a8575cf24a8fe79a6e565037264281e04f4729f869b8e538f5ae241066d4fddbcbfe2ea734a0e42de3d813ec29d6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
317B

MD5
5a0b4dd3d8f6fdf54103fd0001816f63

SHA1
a988ebbe0d7c2c876680defbd253b1975457fc7d

SHA256
f3f39acd473189ab9295d2dcf2e6197ba0ab850a82c4aa1ade5592ce1892c38a

SHA512
6bd930896090b729ba992d21481c200cde2177a9dbcd5b7444356d694557f5ee518264f232fff6316fe6f824c1e107c54c330e3823e9f811a39e36f5c0b30d12

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
82c6ac5e46c85206837e131eddfddd83

SHA1
034737421748e5bfafd4e854534f3ad9fc9770c7

SHA256
55cf8a93e707fb1962dcc46766d7c5f0f71b64f332a6117118f94d7cb95ff322

SHA512
914b0c8f1d06e3b0b8c00bda75f227ed3864d048c2f69f0a331cbecef925ce68705afc53cdd041e430ccda931fd2605f5dc579ffe8beaa0acffdf4c51b162eb1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
bbef149c3dcde06a394ba512422af3a9

SHA1
34b0e982f4d5d731de39b322d4824b6af6472627

SHA256
f4097368dc6b67514f2991640d563bb52fc01c7fcda1c29566b9ed7208954cd2

SHA512
595989ecf2d2bea0939dbf57faaa3bfb690166c17fb1d1da27b58871d54b3209d71c6e5489e983e5d6d3ad05fd97bf847a6e11bc9cbc9fcfc9535818b07e08be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
9ceb184e2a266d3bd7ee49d69f60c0b1

SHA1
85d584f08463901541033025c42cdc2d718f0bf6

SHA256
b7e00794735ca81c2966cc03e93b5880504c98764ad9af3bd273c48c684218c5

SHA512
f9f46dad610a9b033300c22a8373d30165cdfb3175800c4837232f98c6fbcc843b8666b6c3ae313931457b0576b1891cd3a2f9437aa68933d70d52a3751463b6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
bd6fc9ca96698344936b22ccef4ba428

SHA1
49fc5c771601ed5e3897908cf8b83b546821a6be

SHA256
1003f1a53667e28e7952335498bdedd3377eae435189df01235b6602a5654823

SHA512
095c01770b4f4e9f9fcb29c0ce290043f5c1de9c7b9767e7dd889aa25f3c103ac2dc8de5258a639aea477f649aaeb14687767a9912d6326503019369a1ed8ba6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
546aaf9ef3bd5a5d57584730e8aa12da

SHA1
009188fede09461fdeb7b7138bd47b4bce60a6c2

SHA256
fdd0d7552e874aa61d24a097fd9c297616d4e0ef684906a17c8c9425bed52c00

SHA512
5d6fd8a6332055afa3fcbc74a08638184bd322fc0d3da5180314438a6eb6e120b5d09c9fa0b89cea949a562522b16b9b7d49fa9a30438f0501a589c1d2f7bd2c

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

Filesize
62KB

MD5
d63dfe04f005ed75846cf5e822057ae7

SHA1
e4f817021c63e6c585358fcfca32a107a4abeedd

SHA256
582a60a60390cd7b078c158226ca897b02274d0d826c8749b3a38b7b0ac7cd77

SHA512
e421f18414950423704fea20e5cfc4f87e47f5182c76873050aa0e985bb9e867b36d0d8aac778a986aec71718f223c75183fb92aa12b6d300e67b1eb5775990f

Download Submit