08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
Size

136KB
MD5

a5c0af52fdb53b6e451736bc3287503d
SHA1

63bc7dce786d3c83783749c700bfda7871f91f1c
SHA256

08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61
SHA512

390fe917b400a472c880c1cefa4ce6f9ed7cda77395365336d6ff4d76827e13eaa1a4ca8a653f73d442cde8c2b51fa17f9c5e566f3f0468abc66604ea21fc723
SSDEEP

3072:x91uZu1iQl0Mep53PKuc7FsTYJ0Fwcl8mcjbuD:x3iMepVPv6mEZfjbU

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (5240) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\B:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\E:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\H:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\K:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\N:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\O:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\P:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\W:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\Z:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\L:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\Q:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\U:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\Y:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\I:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\R:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\T:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\A:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\G:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\J:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\M:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\S:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\X:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-DL\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\es\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\Setup\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp.inf_amd64_neutral_25c14d33af7f54f1\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_neutral_c2d2c213c3138487\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\adsnt.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\CSRR.rs.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\DriverStore\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\perfctrs.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\migration\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\mciwave.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\UltimateN\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\fdeploy.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\fltlib.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky009.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~amd64~~6.1.7600.16385.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_neutral_0b11366838152a76\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\migration\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\telephon.cpl.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp002.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\DriverStore\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\UIRibbon.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\WLanConn.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\dccw.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\ndptsp.tsp.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\Ribbons.scr.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~pl-PL~7.1.7601.16492.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\rascfg.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\de-DE\cryptxml.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0008\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\BackupStep.vsdm.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\7-Zip\descript.ion.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_2d4a27c7b8972454\msvcrt.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\msil_microsoft.build.utilities_b03f5f7f11d50a3a_6.1.7601.17514_none_b665d13b61a8309e\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ieframe.resources_31bf3856ad364e35_8.0.7600.16385_es-es_aa22426fa62ad67b\ieframe.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ipconfig.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ec2af16702e7c60\ipconfig.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..vice-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_56a5da96772236df\TableTextService.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_brmfcmf.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3d9cde89377074a6\BrParwdm.sys.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e3e16a4b19f6d518\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7cc233347082bfc\rekeywiz.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\certobj.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dsquery.resources_31bf3856ad364e35_6.1.7600.16385_es-es_56b0be8dc9d3b02a\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9162dff52c1fa7f0\modemui.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationUp_ButtonGraphic.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.msmq.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_6f8ff98337d0ba61\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-skins_31bf3856ad364e35_6.1.7601.17514_none_07872798f0125495\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tcpip-pro.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9eff732a4b9ce52f\nettcpip.inf_loc.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-adsicompatibility_31bf3856ad364e35_6.1.7600.16385_none_4de4cd032f6d4661\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8160a05c5cadb3ea\mapistub.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.17932_none_0ca1c10dda240617\api-ms-win-core-rtlsupport-l1-1-0.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\Cursors\aero_working_xl.ani.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_8e0722e24d7b68f8\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..oundation.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea6967d5d5c25c68\rrinstaller.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_wiabr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4fa7e0027b0caa12\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\msil_microsoft.build.framework_b03f5f7f11d50a3a_3.5.7600.16385_none_e2ba41fc43a04b06\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..rsalcrt-apifwd-win7_31bf3856ad364e35_6.1.7601.23175_none_4e12eb8b85dd5f41\api-ms-win-crt-multibyte-l1-1-0.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69e2b174276cdf01\shrpubw.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ity-vault.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a593e68535187f90\VaultCmd.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7601.17514_none_ba5b5f24d6255a6a\occache.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20105_31bf3856ad364e35_6.1.7600.16385_none_51440d1748090239\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_74a07663e30b3b7f\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23a966a2fe2f7ffb\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..oundation.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d20ddd4c89472ca\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_en-us_403d5e98a5c3edc2\ipnat.sys.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2153b2426744fbd8\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..shell-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c8cd55f1ff8746c4\TabletShell.adml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_prnca00f.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4c3783d14969e75\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_setup-uxwizard-clientimages_31bf3856ad364e35_6.1.7600.16385_none_a4cc3ba14850df9e\background.bmp.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_ja_31bf3856ad364e35\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\inf\ASP.NET\0008\aspnet_perf2.ini.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_mdmbr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ce68d7a186ca70f\BrSerIb.sys.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_ebd4fe765239878a\occache.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_prnlx00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb2d4d39f1b51cb4\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_prnin004.inf_31bf3856ad364e35_6.1.7600.16385_none_122e6271fec9f455\Amd64\IF3172E3.PPD.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d258835a89ea6715\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5642a66333c4b1ea\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_ipbusenum.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0dabd93612b32e3d\IPBusEnum.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..w-dvdplay.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e8e8dd38abf1dee\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_263d9eada51ba1c4\Display.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_prnle004.inf_31bf3856ad364e35_6.1.7600.16385_none_3c624bcdff41cce3\Amd64\LN1321E3.PPD.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..e_runtime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4a34aadde044e1d9\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_battery.inf.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1a26ec2c61b5f71e\battc.sys.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cfd24b52c4fcac7d\AGP440.sys.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-controls.resources_31bf3856ad364e35_8.0.7600.16385_it-it_b14319ee12c12055\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\msmq-routing-DL.man.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.pmc_lh.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_61878a5af412211d\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_af672f3decf4e4b1\WinSyncMetastore.rll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0\vga932.fon.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.1.7601.17514_none_8d32f6bc0f6a779e\Security-SPP-Component-SKU-HomePremium-OEM-SLPCOA1-ul-phn.xrm-ms.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ols-klist.resources_31bf3856ad364e35_6.1.7600.16385_it-it_15edb5b7bb076ec7\klist.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..-tlntsess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fd33bce463e19a36\tlntSess.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_prnca00x.inf_31bf3856ad364e35_6.1.7600.16385_none_e90677c70609283c\Amd64\CNBP2.DAT.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_be8bab32249b2a4e\RegSvcs.exe.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-mcupdate.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8b5a4cefe14d8ba7\mcupdate.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 10.wma.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2740	2876	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	31
PID 2876 wrote to memory of 2740	2876	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	31
PID 2876 wrote to memory of 2740	2876	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	31
PID 2876 wrote to memory of 2740	2876	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	31

C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
"C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
  "C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe" --food
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.sola

Filesize
3KB

MD5
2cc452a0c0ce7dd0d124f60a28bb9bfd

SHA1
7f6e41eb1e8a5306ec7a3d2c7f004e2b38f06136

SHA256
4ad66435bb65342bf75e4dee8f3373165342e6abd20b4174a772e633206ed2a6

SHA512
62ce2bf6843c94b5e940c8aa891312f33b95e9a6fb10f9973df25d8c0958346fb435878084db855f9405bc0bcaee8cf2f190638f624bd47802dcd35f3067cd19

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.sola

Filesize
3KB

MD5
6865c75e97ff2216e46a03805ebf6cdc

SHA1
d32fa8ff9fdc985f64b7b16b37d5766bb39e1576

SHA256
541ad5d4251cdd80e02472ffc7059fd56cd762a06cb585a760f459bb0b3b87b5

SHA512
7d8e9dfeb3a46edffa60b8c414d785528ef3ac52688497cbe34de2f426fd318f1a6c76dc153ce4f794b23de483df2524814b80d4ae822d3a579e4bb38a955cf1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.sola

Filesize
2KB

MD5
b61bab661ba507117ac70c09dd3a5627

SHA1
0827cf6b5fab2f49cbf03d110593d50039cb4cdc

SHA256
ade3afa38bbfaef63c070012ea33494bd8b3fe20ad425fc15ba395e748a95d2a

SHA512
cb046ebe756c3fb92e05229ba0f726e0c9f6f9bc0f58b94ca02648fff52331e6f91dc198f08494fdbe0dc807bd75910fa41a655b6dff81beefadd1ae662d2492

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.sola

Filesize
10KB

MD5
3be9abad9785e2a64d82af409aa6952b

SHA1
8866d077ac3ea38ad3b1c331bb1251b0ace3d837

SHA256
292aefeec32e209c9be9d2c65cad83021d13b950c84de66c44574c7c1867916d

SHA512
2b68d1a77d7604444cfe83ff763773042aa4c720f863dd350b8201446e4255a896590b379c718b6e5c54cb07a76bd3fbacfcd68b7c18cf1ef138896932368f98

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.sola

Filesize
33KB

MD5
0879e3f9a34a7e503221a37c0b206060

SHA1
6da894a22ed0776324239fe5d82d7c2c34591625

SHA256
f4890a807f981591ed75e3b65487637c9193126bb19f988365917dae1d72227d

SHA512
27b43954917d0035f672993a8a0ff6704b7893589bf9919dd07a7307cad5d50673d5cfb6f9b8773ba45b79803076ae633cce65b42f4d757002122c5995b9561b

Download Submit
C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll.sola

Filesize
1.1MB

MD5
5e678b2056a16a12cde8123264313ac7

SHA1
95aedcbebdfd18f37336e7ecef9ddd269744ea4b

SHA256
cc48056186652b27fc03cf9f3105b61cc2968aa222d1f830134723320521610b

SHA512
633dfe3c958d03442321b417ae9045aaee27924ac036417f24a1cb05fcf818eb4b1da36d38cfde760a4dea7c25a3edc76f90219a659a6c1b3a2e47fefd5dc1e7

Download Submit
C:\Users\Admin\Music\README.txt

Filesize
19B

MD5
cd0005971dd81c61d5be812f33a2b35e

SHA1
01f1ad380bb99d1a80e4fc1800c1b4e5f72e19d9

SHA256
e6d506e4376528c4ac030840c4c49d3501b85d1fdd6f367b4c8100c444d528af

SHA512
8b6d984ea0c15851f22fd8ea5f8c7925b2d2caacdd81dc5ed301d71feffb08b71dd95d16dee83c2a945e263e3e7b15e6706e2df691c4462f81aa3bae1821ebad

Download Submit
C:\Users\Admin\Pictures\BlockSubmit.svgz.sola

Filesize
241KB

MD5
6ae66200c765b3d4c3cd43013b90665c

SHA1
b58c0e740d448f0e0ba914cc946d94d9e72b24ff

SHA256
ee90fe5294abaa05de6b58da0e213dbc119d30362074d360dc3445dd94ef0fb1

SHA512
b73551713d7efafccaeadcdfc517a82d358a8f7bb623cfd0f7e7ec9b355e49633b2741800c26995d0fa5fbf23d722ef4331aec35156ce818787a24f5f7534521

Download Submit