08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
Size

136KB
MD5

a5c0af52fdb53b6e451736bc3287503d
SHA1

63bc7dce786d3c83783749c700bfda7871f91f1c
SHA256

08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61
SHA512

390fe917b400a472c880c1cefa4ce6f9ed7cda77395365336d6ff4d76827e13eaa1a4ca8a653f73d442cde8c2b51fa17f9c5e566f3f0468abc66604ea21fc723
SSDEEP

3072:x91uZu1iQl0Mep53PKuc7FsTYJ0Fwcl8mcjbuD:x3iMepVPv6mEZfjbU

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (4424) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\G:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\I:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\L:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\O:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\W:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\U:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\X:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\Y:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\B:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\E:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\N:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\P:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\Q:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\H:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\J:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\M:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\S:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\A:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\K:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\R:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\T:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened (read-only)	\??\V:	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedEvent.xsd.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WSClient.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\it-IT\PortableDeviceSyncProvider.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-mmc-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-ES\html.iec.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\hbaapi.mfl.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\lsasrv.mof.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ArchiveProvider.psd1.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic_kvpexchange.inf_amd64_b3c17aa69dce1e0c\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\it-IT\DevDispItemProvider.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\fr-FR\PrintManagementProvider.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ja-JP\MSFT_WaitForSome.schema.mfl.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_fd2fe159a9daf508\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\wlanpref.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\qdv.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-ES\eapphost.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-ES\PhoneUtilRes.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\mispace_uninstall.mof.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\uk-UA\MSFT_UserResource.schema.mfl.sola.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\ja-JP\MSFT_EnvironmentResource.strings.psd1.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_9179c145f01530e4\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\it-IT\eventvwr.msc.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\uk-UA\wsp_sr_uninstall.mfl.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-PictureTools-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\sysdm.cpl.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001d\_setup.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\Windows.Devices.Usb.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\it-IT\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\es-MX\windows.ui.xaml.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\_setup.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.Types.ps1xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_9839c838c72c0594\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\icsxml\pppcfg.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\en-US\MSFT_WaitForAny.schema.mfl.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\uk-UA\MSFT_WaitForAny.schema.mfl.sola.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsantivirus.inf_amd64_632d2ac0d68cf3ed\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-WCF-OC-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\dmscript.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\apphelp.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\F12\uk-UA\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\MUI\0407\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\shutdown.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\wbem\WmiPerfClass.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\DriverStore\es-ES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SysWOW64\en-US\StorageContextHandler.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\az.pak.DATA.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-100.jpg.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-256_altform-unplated.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-100_contrast-black.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.ps1.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\notifications_emptystate_v3.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxSignature.p7x.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-150.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_zh-HK.json.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-256.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\IncomingCallBrandingImage.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-200.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-lightunplated.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseControl.xaml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Large.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft.processmi...commands.resources_31bf3856ad364e35_10.0.19041.662_en-us_75c8b66926f181b7\Microsoft.ProcessMitigations.Commands.Resources.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_netfx-dw_b03f5f7f11d50a3a_10.0.19041.1_none_46d7d57b97bd01e0\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\Manifests\amd64_ds-ui-ext.resources_31bf3856ad364e35_10.0.19041.1_it-it_60d1e89763c83318.manifest.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.264_none_43f7e9f032144ba9\r\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..n-library.resources_31bf3856ad364e35_10.0.19041.1_it-it_ff5371598d186467\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.1_none_e9d80fa364d364ec\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mirage_31bf3856ad364e35_10.0.19041.153_none_918e8a97fe535014\r\Windows.Mirage.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwanradiomanager_31bf3856ad364e35_10.0.19041.746_none_1e05069df0a0b9fa\f\WwanRadioManager.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiashext.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wininit-mof.resources_31bf3856ad364e35_10.0.19041.1_it-it_b518c636f0f888bf\wininit.mfl.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft.powershel..nfigurationprovider_31bf3856ad364e35_10.0.19041.1_none_b9b2391a00849682\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..enhancementoverride_31bf3856ad364e35_10.0.19041.153_none_0e3fe4486908c99e\r\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-40_altform-unplated.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-csvlk-pack-license_31bf3856ad364e35_10.0.19041.1266_none_ddea75e4d9c5687b\r\csvlk-pack-Volume-CSVLK-1-ul-phn-rtm.xrm-ms.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-v..ption-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_54c114c0839ba331\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\editor\editor.css.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_xamlbuildtask.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_d0114f6e796ba4f5\XamlBuildTask.resources.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WsmRes.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_hyperv-integrationservices.resources_31bf3856ad364e35_10.0.19041.1_en-us_ab7bb34f3d804a14\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\f\de-license.rtf.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-cleanup_31bf3856ad364e35_10.0.19041.1266_none_ce5bf122dc7af319\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_c00d07e45f7b48b1\bootmgr.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..neservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7de7983f00ca7d74\PhoneServiceRes.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft.dtc.power..l.scripts.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_434efec7c11cd27d\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\b96e191cd216a150f00fc95c888a9903\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours.resources_31bf3856ad364e35_10.0.19041.1_it-it_acd68d34a2af5834\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-e..ce-client.resources_31bf3856ad364e35_10.0.19041.1_es-es_ff722c38d8cd03ca.manifest.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-credssp_31bf3856ad364e35_10.0.19041.264_none_abee7ca434d21f02\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_windows-storage-applicationdata-winrt_31bf3856ad364e35_10.0.19041.746_none_c26a2c8c35533f3b\r\Windows.Storage.ApplicationData.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-thumbnailcache_31bf3856ad364e35_10.0.19041.1151_none_be3f45bf02b1899b\f\thumbcache.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d9ef37974bfd71f6\setup.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\Catalogs\0a8453897e1a8f041c5c976db1ef7681804e65084ddbc9e96a6621a954d93f17.cat.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-winsock-legacy-afd_31bf3856ad364e35_10.0.19041.1_none_abccab3287b0a0f6\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AppxSignature.p7x.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cdp.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_de9fa66f1f114250\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_10.0.19041.1_es-es_b2d163cb3c65893d\TipRes.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-admin-appmgr_31bf3856ad364e35_10.0.19041.1_none_baff13d789b7be1b\appmgr.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usb-ude-classextension_31bf3856ad364e35_10.0.19041.1_none_945b34440635663e\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-pidgenx_31bf3856ad364e35_10.0.19041.1_none_b763e25a6302cca3\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-vault-roaming_31bf3856ad364e35_10.0.19041.746_none_76d4321c51cfc18c\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-speechrecognizer-en-us_31bf3856ad364e35_10.0.19041.1_none_6cffd7588bca3338\l1033.wwd.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..httptracingbinaries_31bf3856ad364e35_10.0.19041.1_none_efcca05eeeb0032d\w3core.mof.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-v1_31bf3856ad364e35_10.0.19041.1202_none_4eb79644aba9ef70\f\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.19041.264_none_993ed006c57fc816\r\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\SquareLogo310x310.scale-100.png.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_windows-application..ardserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_7a55618e3e5c0ccd\ClipboardServer.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_dual_bthoob.inf_31bf3856ad364e35_10.0.19041.1_none_76008bdb531535bf\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-font-vector_31bf3856ad364e35_10.0.19041.1_none_eb85b6448716c892\script.fon.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..e_runtime.resources_31bf3856ad364e35_10.0.19041.1_es-es_a90b951b0d53d04d\iasacct.dll.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\FXSOCM.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec..hared12_neutral_ini_b03f5f7f11d50a3a_4.0.15805.0_none_3acbbf3a213ac4a7\_DataOracleClientPerfCounters_shared12_neutral_d.ini.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\msil_multipoint-wms.coll..lecontrol.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ed04473fa3bed03c\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe\oobeautopilotactivation-main.html.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-powershell_31bf3856ad364e35_10.0.19041.1_none_12fcd173608a3b6a\Smb.types.ps1xml.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ormabstractionlayer_31bf3856ad364e35_10.0.19041.746_none_c3385cf17c33cd6e\f\PhonePlatformAbstraction.dll.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advapi32res.resources_31bf3856ad364e35_10.0.19041.1_es-es_ea0645b3be0d41e9\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-sitka_31bf3856ad364e35_10.0.19041.1_none_9c1fe6045dbd922a\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-jobobject-provider_31bf3856ad364e35_10.0.19041.1_none_1ae0a620c76072bb\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.19041.1_fr-fr_666d8bf22ce884b4\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_nb-no_7d5fd9e22509fce1\quickassist.exe.mui.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-winhstb.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_bca9be8d2fb78659\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..do-backcompat-tlb25_31bf3856ad364e35_10.0.19041.1_none_a0d229da919bd92e\msado25.tlb.sola	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..utilities.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6a41ad2d5047f7e3\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_10.0.19041.1_it-it_dd971eca09c60cc0\README.txt	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2656	2056	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	85
PID 2056 wrote to memory of 2656	2056	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	85
PID 2056 wrote to memory of 2656	2056	08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe	85

C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
"C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe
  "C:\Users\Admin\AppData\Local\Temp\08bd364f006ecda3b0760d7cbf107a23073529c5e863d6b1521a0612163d0a61.exe" --food
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll.sola

Filesize
234KB

MD5
2107894c051aff7e1739cccf850f89c5

SHA1
a70d2e2090e31e277389301c7d8de26f7b20b1db

SHA256
2492cb79d827fbec0e5626da292868f2bc5748db9a251285b15bc46299aa658b

SHA512
8ea98abbc399561fb780a48cb75426eee3fbfc127e628f050b469ed10f33fbeeec81029ca636909642004d23b51ce16073c36708d6de6bacf243b9f3f091a3d7

Download Submit
C:\Program Files\7-Zip\Lang\ms.txt.sola

Filesize
5KB

MD5
8b2f8ba7d98caab23e010f2c6f7be6d7

SHA1
dbcfe11dc8ccf962cec047c03652f85eb4ed860d

SHA256
43f0f52f243bbb8da2fc4da63c438a2a45f5fcf9a51cd85a6084564b429c7f9d

SHA512
d80652c04583ad46f7557b9410f1e8745b6c882e5e7e2f7447409429c18ff5bd7f09123cc57547acf0e670ee5bffd1b201fa59b7b595b5bd2836deae239ba02d

Download Submit
C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.Tests.ps1.sola

Filesize
26KB

MD5
efd7c88f2bc4748008ef9cf0af10d337

SHA1
296347ae27d09b53c056e0c606c89278c0252800

SHA256
c5406dc1e3c734d6bf1092e7aa9daef24d1debfbf42531b6ecc89098466ea306

SHA512
d143e1d48fe7550a6c4fba364a58028c86fa9480c62160a21eb10ebcdb3a33faf513ea0be2650915c6e39969118c9bffeed46cfbba31c84003d5d265cff85d08

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.sola

Filesize
15KB

MD5
c5482a26ce8147f72f89a3d74e7a0843

SHA1
8ba5b85fd6d54a13732ae2bfaa6f83b1dc1b831d

SHA256
9e5635c0b6243ad97fe8e93b47255ff78944c87615e764010a15819c0ada4ec0

SHA512
8bccd2f84d40c3bfaad303776460c0ac0d8bcac101f813c92ddd644b8d0277d14167403c12ed6a1246d441d4fe8291a7f6fcb138061221656222eca6567eff43

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.sola

Filesize
18KB

MD5
da247d93341f5e15c78ad78ee9d85b03

SHA1
92677c442ab0806d55df78bbe3aa41fbb10bd003

SHA256
46ff7b257b643b60506cfb30cdb5fb17f5b6e49bbcbd60e618d8338962c05c08

SHA512
5d569eef25406aef0aef3145920b4929b15c57f41f22162bb8ba39662372be91614a17fd26c5cbac6b442457e02792a357d161c91c02ab4e8e60cf3c66eb2ab4

Download Submit
C:\Users\Admin\Pictures\Camera Roll\README.txt

Filesize
19B

MD5
cd0005971dd81c61d5be812f33a2b35e

SHA1
01f1ad380bb99d1a80e4fc1800c1b4e5f72e19d9

SHA256
e6d506e4376528c4ac030840c4c49d3501b85d1fdd6f367b4c8100c444d528af

SHA512
8b6d984ea0c15851f22fd8ea5f8c7925b2d2caacdd81dc5ed301d71feffb08b71dd95d16dee83c2a945e263e3e7b15e6706e2df691c4462f81aa3bae1821ebad

Download Submit
C:\Windows\INF\athw8x.inf.sola

Filesize
348KB

MD5
967ef771ef8142a3c5e7e02e3aabaf89

SHA1
1fc1d4f0f8c498dee48ba0511dec3f54bfef1d97

SHA256
404e85c664e45b77ac5a53a3c5c7ae0fe82eef8de1247c2e49f5b0b8a7b35b65

SHA512
ad2323ab35459c8a9382aa6dff10249d7dde4d2ae3377feeb572dc54c3144ba71ab4755d4f3628d85c356040e3dc556a6d8d880c6977eddbe2a808a2d6ae75d9

Download Submit
C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core.dll.sola

Filesize
982KB

MD5
3b39cb0244057f507eff9d0b63e2300c

SHA1
35982842fb7349384ed3297604808207bc9d749b

SHA256
d6ae92d8a09533f207210d49b6b4db7955d5860f2231ed6e0956d898461e319f

SHA512
3fe43b150bc74abfa7934cc96153da3937952051c725dcba22eee4ed4aaefcfe3e3bcca09d5dafef149b55e447b7a1c32cdd5fae744aba9ad93b1feb24d7788e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads