c4e56e9f1a23448f15f6f81dfdf3b2343e94ca1f33ba1f11a96a4b4182358664

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
Size

18KB
MD5

50f4469ad4b9bf352c5c9604ef913ccf
SHA1

5c82d5155c9151115346efd94e1b1da34cced32c
SHA256

3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7
SHA512

ff92408fd18d0a7563705e606a9534ebc47f6e85b3dd2aa439da58f85c32c8107dd2d5985aca91d7c0c3cb604ef7d5758469e8efc77d033a66148b3a8731be3e
SSDEEP

384:vRHTIhveCy+RujQKK7qbqtLnWp9Iggf7W8:vRTIry+Ru0KKObh9IggfL

Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (1382) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 31 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\gmreadme.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\etc\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\it-IT\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\it-IT\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 7 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File created	C:\Windows\System32\spool\prtprocs\x64\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spool\prtprocs\x64\it-IT\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\spp\tokens\ppdlic\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\FxsTmp\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseE\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\de-DE\Licenses\eval\Enterprise\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_neutral_836a6716cd56c692\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Foreach.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\0C0A\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\de-DE\lipeula.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\en-US\Licenses\_Default\UltimateE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\zh-CN\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\Enterprise\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\GroupPolicy\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\ProfessionalN\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Ultimate\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\UltimateN\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.cfg	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_Comment_Based_Help.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\ja-JP\lpeula.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\ja-JP\Licenses\eval\HomePremium\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\about_BITS_Cmdlets.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_requires.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\zh-HK\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrsp.inf_amd64_neutral_a44611db70783ded\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\ProfessionalE\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\it-IT\Licenses\OEM\HomePremium\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPIJ2280.CFG	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\System32\en-US\Licenses\OEM\HomeBasicN\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_job_details.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\MSBuild\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\de-DE\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Java\jre7\bin\server\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_wiaep003.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38b653653c7d630e\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ada67cdecd176d1d\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_387e0dccfbc70bf0\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_flpydisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fca3fb6ee59a1f5b\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_74ada7d78d993e6e\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_6.1.7600.16385_none_b252497a75d8a174\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c8e5b1e7f02188d\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..w-capture.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a596658f96cb2754\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Variables.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d9d0ebc7186d7b37\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.7600.16385_en-us_111f6b9c56cd76a8\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\es\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..layer-mls.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7a5c19208ced5c5f\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_netnvm64.inf_31bf3856ad364e35_6.1.7600.16385_none_2a8cc318dd2573b8\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(120DPI)redStateIcon.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ilenotify.resources_31bf3856ad364e35_7.0.7600.16385_en-us_90e2906d41481f23\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\msil_system.xml.resources_b77a5c561934e089_6.1.7600.16385_es-es_4bd2e4b0dc5dce90\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_transactions.help.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_518cae4ae00ff68c\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_de_b03f5f7f11d50a3a\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-batmeter_31bf3856ad364e35_6.1.7601.17514_none_74921c8bdf36be8b\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..c-results.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0ce4b29609a6061\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b996be78b27ebe08\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ilter-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_01f3199aae0b8674\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_6ed8265c4c3dbb0a\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..ance-diag.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97530afa79f343b3\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\security_watermark.jpg	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-snmp-evntwin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a90e92fc9a608ca\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba650fd806606d37\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82d677f24a0acaad\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_desktop_shell-search-srchadmin_31bf3856ad364e35_7.0.7601.17514_none_a9f0ab75af7a5b5c\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-console.resources_31bf3856ad364e35_6.1.7600.16385_it-it_66c13d41262bb2b4\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_337141edac49fb30\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nwifi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e0ae8581c7910f9\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_61a9354d39f8bec2\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-transportdrivers_31bf3856ad364e35_6.1.7600.16385_none_37a129135e68497e\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\inf\.NETFramework\040C\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000044d_31bf3856ad364e35_6.1.7600.16385_none_59d4a8fc6f5f0d9a\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnpui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_53c13e443f56cca8\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\inf\aspnet_state\0012\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Algorithms\v4.0_4.0.0.0__b03f5f7f11d50a3a\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-dmusic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_60e8c0f10088f408\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..on-wizard-framework_31bf3856ad364e35_6.1.7601.17514_none_1478eaa56818c3c0\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_47acf6dc044a06fd\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-taskhost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_af30b86a262710bb\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.ieakmmc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd71096fdde20203\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\msil_microsoft.build.utilities.v3.5.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_7733fca50298044b\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_98af26a5072718fa\license.rtf	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8440c357947403d2\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..rds-datafactory-dll_31bf3856ad364e35_6.1.7601.17514_none_4d87b8f14c93ac65\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msswch_31bf3856ad364e35_6.1.7600.16385_none_2b0f60d7ba2095ee\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\32.png	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-magnify.resources_31bf3856ad364e35_6.1.7600.16385_es-es_514d4f51067afe9a\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_70897adaf67ef72e\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.mmc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6fe1f4a7f8512ee9\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_wsdapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_772eb2557f1b8afb\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
File created	C:\Windows\winsxs\amd64_wsdscdrv.inf_31bf3856ad364e35_6.1.7600.16385_none_2c33389ae33260ae\Decrypt Instructions.txt	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2812	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2812	2268	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe	29
PID 2268 wrote to memory of 2812	2268	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe	29
PID 2268 wrote to memory of 2812	2268	3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe
"C:\Users\Admin\AppData\Local\Temp\3dfaf477d5058014e308f079fdfe1e9c765f3280c0ef105ddd0efeb5c9b0daa7.exe"
1⤵
- Drops file in Drivers directory
- Boot or Logon Autostart Execution: Print Processors
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\Decrypt Instructions.txt

Filesize
1KB

MD5
abc7c12bc76b24620de452dcecfedf65

SHA1
ab2db18a5e2e34218390f5cbc77e7cd3f8c17caa

SHA256
cbe0126bb30beac1982e127e11eb18c19d308689817dd362b7c300fab555f6ef

SHA512
b0237087181a05f7b8af4be2c58f7b0d75585bfe0edc1f24083f7b7be34c5e409015c8e614e92cb1d03ba420c4449884ec619bc4ad5914df9837d0b8fbc423e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
e08b03669691002dcd58b16edbe47e04

SHA1
7932ca6b320f8d947b070dd17a1ec5cec06a27e4

SHA256
9bee73862d696acefa5240ca11a12c1bb8249b55d660d588b71f288fba51abc8

SHA512
62154b0704efc833043b3d8b8836b8cf7c8fbd9575d86ea26cb8ee1dfeaa3114b314be7e04a18cc42d3771d041a3462cafd5663ef998d8d9648dfaaac17ebd3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
a1ed93213227bd7b891a8beb15b217e1

SHA1
5936fbb17d76dab2cc21b7d05b6b0db1a3455591

SHA256
d84e86322d99164d37581d9f46102b677265e57ff899c4cae83a33cd1d0cb703

SHA512
418f257b3afaca9e0386d1c17dcaea91e5d2141a02e76db8455e60b1f374a1880e344a736084d88a1635a3e1199cb96bff96e12145b04e36930556f1151ffdba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
f165a93d0b90f20dea0a26cbc781d28a

SHA1
fb5c8c9b00f6fc8d1a17b323e523aa4c94ec90d4

SHA256
500e2ca73f6c807f71184fb036b58c03103283642f176c9b9323596700902d1e

SHA512
d04768ef34cd606e910278ebf8fdfaa0d0072a21c1d5299ff1300644670a3b872bdc57d0e281580d859ff485fdb643fb868b9313f860b34a3bfe5dd58d0c5750

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
567ee05194c756978eae5823b4073510

SHA1
b93add136bf5d4a9443dabc717c3fe403f24605a

SHA256
609f8edfdb11e6a9d2ae37464ffad0877e4e3261afd92207458f8ea7971edb6a

SHA512
8c2c3f9b486f8584ae1f6997a6676d411762679f578189bccf02a1e5892bbf715379441f0fd1bdee66f4d63b5e4305c9be466708bf44b53a783c8b936d130524

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
97cd47eb473866910726b11a1c04a661

SHA1
c72d248f79831a86d52fa3f315e6f260e6288bf7

SHA256
031eacff6aa58f07f0620546fb76d2240b1cada78527fe8c032d873523d2d0ab

SHA512
f601bd6e116c333e7a704d963e2cd98c48e9d363e8ebb59dcb7550916fec665330448db12bdcca5c8de3336f946b39003b8c3aef8765c6f313fd48160e14818b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
b0b9fa68084261c131c47716cbb71c86

SHA1
258f0bbc1fd49a4ec4852053cef90302394ee510

SHA256
430685b09c87961f9f733b31af0592a08392ea6dca7a947548bf64309c9b901c

SHA512
425a775de649e319dd8ef605be3a6609fc2db24ed1cbc9ecf4683a2082882442d19267589fd908a90b5b31d707205b03c1d29b5ed22d5fc72e24354a51e1ba7b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8b4c7b5822c877ced82cb592a06db11e

SHA1
0dac30463c3a260816dcdbd776d0d3795b6c6530

SHA256
e2ffbff9f53f3ac2eba972112ce033ce63b48b2a38f0058a44ed7617ae411fbc

SHA512
44ac822397ab8a723b97dd7e75b222e243386622af5ca2c58a49865e421dc3ee06f3513074015dc05f1e6a9fa97ad06eec8f06e31bfa485ae245d5b86562fe67

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
0684ad0a94c3a262b5d27e3e67552851

SHA1
eaaf1594621089d6faf2c5661fddc70790a81ebd

SHA256
54e6d59e1f362d431ec860d9016c1ddff039836673261fb6da4a948cec2f8d9e

SHA512
02a776471d761e6fe9f9e665d1c557751e760d8b7d9eba9471fa0422cb81a441dca22ebd89482c2a8ee209bf482e1c639a92060d13018ee62d523cc077173d32

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
434538fd84b61d1cca5e229c665598e3

SHA1
ddaea1405209dba267f050da6cec1d410db6cb74

SHA256
991d497f30308194b60d862507c0ee9bccccfd237ee38c869f6f42839d01fb56

SHA512
3bc85f624ccb80b668f692243a7acdb0cd767ffbea4b42c9d58d6275b8d4ad109c58180b57e9893f5bf7a7993b8cff8a3c6a28abf18104f35ce107ff7d96c0e6

Download Submit
C:\ProgramData\Adobe\Acrobat\Decrypt Instructions.txt

Filesize
1KB

MD5
b24fc02b5fffe1defa8368cf28134e39

SHA1
b52d89dc5b9c715635668d315bb8bb80eb12b7d4

SHA256
1ba3719f3798a9c9bfc9f135757676ea59d884fa89ae7f870d02f62108dd15ec

SHA512
375ce9137e320f0fac8038f59aa3cf5c5a4c7a64bd0536116bf51d070f1b335f5f85a01b8a3b1b633fb8483d089f576d2e32f9a8f78575c1cdab34af6c54ed6d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001

Filesize
16B

MD5
906cfbc3d15b2d81ef274788bfa057ae

SHA1
40ddebd36fe8f05e80144853f0b7974e7653f69e

SHA256
3490278d47fb016f1abfe9c4f7bec4da1125e35585bcccc24a60ee5f5c155989

SHA512
4ff0c467281c31ea6f67278a7a495c326479716f5f73c2ad06051925a08808496e1f2776f414ca85340523c76e467b178b1c3b97897ce0ac2b3d80d71f453724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240729_174811932.html

Filesize
1.1MB

MD5
62379d6ef96e386ec121e3a6d5a2bd64

SHA1
c6789e05732fe713f98847be8f7956eeb7f9accb

SHA256
408ed842f18a0d55e2503270285e38c6dcd439913e571cba41eba11aed62f0c0

SHA512
e9795d788d0f7dec88bc8ff5f5d36908d6ea783b6d554cddeac4741d489df9587cf079cbd4ccb20198a3b0c9411444e5d24ad4fb443440b81ff018af4debf1e6

Download Submit
C:\Users\Admin\Documents\MountConvert.xlsx

Filesize
11KB

MD5
a0f5dba6252e44cbe56f7eec196ac977

SHA1
b19562bebbc0f54298cd820728141cf1de137720

SHA256
20948d9c2c594873d530c6300f30897871ee298287a761cd6121992992df3029

SHA512
df681f1cfef627d5e7add6559d6ccbc7be443d2d0efbc24b5ff3f7811e76f604086077601b8a0b3691bd3117eebbb2db9655cdce13a47f05951f7d355fec7c31

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
f09f9e88380b23283fabf5e3849978f6

SHA1
e610e7d1b95949cfeeb66fdc90a8109d675fe11c

SHA256
377250885a4bc5ad0f0e4ac0c936c8aef21a5018493aa7fda256c2c185665818

SHA512
46f4ed8871630a40e15d47f487cb63ca4c8028f546f254d0de6063575354cb90d6428a5de4b8d0c02cb6274b11cba2d4a8e4935001eeec6782f1f7699b2bdc13

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
6a1c0a45c18977321a18e5ff7c827868

SHA1
3c9d23aadfebe0a983d6a6877e3e9608ec68ba25

SHA256
9b889fbeca16bc1d212970cc279f019b0d1e9444faeca60c34d36f7bb5acfd04

SHA512
1a4cbd838aee9cee459246c641e258b94759d257361e905994e6e6a8e478dff99775e1fcc32cb0cfc734600a30fc82bff355d45ebe0d01837acb83f9ec70e36b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
5bb84bd8d23f5849b9145263158a766b

SHA1
3d31f688ea577a2737f6bf0acbdd0eba362fba0f

SHA256
bea2fc5117a911843371198c5e18a266f31384483d6710687babf20b6f50eef0

SHA512
80836213eeb2297e7e7067c520c142e2082848d0a01e3626f5f276dd2aa4d921a11f2c5efc4c3ec88dd37c88975aca2af84100a3367d9d5db09a39d8e4e293e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

Filesize
34KB

MD5
a9dcacc325e42003497bf56362bfdf93

SHA1
d7b2f47e956b64dce9fbf283d430ac9c575ce991

SHA256
c705e9e3aff01107bd2e70fb92ad3d74a4fe7c21f057fb387bfac8e19df06811

SHA512
56f1c90dd091e70ff00bba26399d301eaf95071e82d19709bd02263280004476f4d0347250056b50a56a0201938bc8f48398e2e4f1ec902ea594c747017cf908

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallProfile.SQL

Filesize
20KB

MD5
77aa136218c4265af89c0f3cb8d8c607

SHA1
f1426ecf8e80db0b7b12369236cfc401124488bc

SHA256
0d46365f6720a03bbe87c38168c2d3a23927519c3a2ed642a109f30f863fab91

SHA512
54e0590077d6298ed0ab50e70615fbb0fb7370f66d290a78a33ff1a853606e072e2224e0bae1c18d43b1a3ce127316bffe90c0fe2e238c2e06cba9e298ac1090

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
64e94088a735c1c9a2ca53fd90ea104b

SHA1
fcaf086c20b87b470bd658119a25a35d5eef411b

SHA256
d4e761a781bfa702d19aeff02ce2bc89d96774855191ed9b0c39f37aa242242e

SHA512
3a62177394d6b4f5137af26713af9d7682b28073efb25342f5c123fbce9e7c1ffdcc53bec7065772d1e4ff0b96e612b4091a57eaa32b24350d6d079b6e83c870

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
3bb001bca42dd9215c31141ce18325c2

SHA1
346593c8f048a2f74256a01c6f7708acf6f496d3

SHA256
296f34634560bf5fa9546c52efc9b87bd0bb80620b2e3ca22bb7e1f6fed76dc3

SHA512
95332dca4b354ced64d9f83fab0b793c3f6b48d39c6c0109ea57df84f29056e63c4b8b7a2de9ba4ab08cb7420931a4ff858d31349a3587c3a3d3fa8f90167ca6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
9ffe85410597c168f0c7be065160e0dc

SHA1
199ea04b39f86871c56212bf191cfe4e22da3e36

SHA256
ce86e03847665b731fb7b83eb2f89cd1db50a8d7ce5d884f13e3cf74b9d4e793

SHA512
6e8dde73ced69c4f2ce36cf1f942179e1a63f4a4e3dfd0937220d47d03c04921ccb20901130d02f8895d7bd73443bd701a5ade8a55a01feb7d89295b30d27fab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
768d64330feeadf5d6407ca13213a7e3

SHA1
364e3a5dccaab59c64a1910460988a763d6efcf3

SHA256
952e8235b2a3346957be89402e776feeec97196b50ab4f9fb6e0bd8a611ac3f2

SHA512
1aa31dedceb6e978852f773c48fef2e034164adcc2efa38c8446c6e78c1486ac9a94af39c4902b4c01701376dc8352536c635a7d95b433585262c89cd39300af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL

Filesize
4KB

MD5
e92fef1d3c91ae5f3dfa9b8635c29935

SHA1
13b55ce1326bba7c63483a931fe70d11c181457e

SHA256
9616e75d82b01b18932906d33c578facff776579354fb55905541f91321b55a3

SHA512
0e5c08b8f3ebedcafd1770c6c82e7c282a02448eeaeaddd0ca5fc168075509c28fe791cef2e4c6ce5e4e8309b90845cba3ca0bfc9bd887dd75df09a798ec5bcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
ec69cf225f389308f1cf45abb56b74b7

SHA1
0142df78c5b7daea827832e7472fedc973c77385

SHA256
22cfd40a86e7ae17ef95a07326097fa89a57b2c1bc73e4ee08e0f6f1fe6ca302

SHA512
ddb613c0509f5d1825de37764e07bb0ca8b0d059c31be085c1c9280f8312ee73d1447c221de54a69626fdc2d616edb95cb54929c74d0dd0bac87fcb18f17d364

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
68f6fc1487cdbfd11355d5fc3cfcd7f9

SHA1
bc1a10b14eee5be89b8c1b453228f2768cb8e98f

SHA256
6b7416ba977d74eb2b84f9e672b23fda04fceb5bd1c0873b45bb026e17290ca0

SHA512
99ebc64139b1c1208d654164803c7deeb20c979742b0a3f09a4c8baf92fff70fa8896b797e714eb2c2d0b24e59c8048573e2da856033defe37fe1051ba08ce5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
48dbed3c9fc5849e4627460158cb33eb

SHA1
5f50eac1ec169957810548d6836505f5efe8c3e2

SHA256
d87072da73fed0d9d5354e4ba0eb680b2b3852165331d561535d5ab5c4d4816c

SHA512
015558b49d202051bc993e3c5d0f5b8dc3f29235eba0c002cfa954845ddebe7d2bab9b5d53aaa121f11417105f05ff4d0c4c87d7dfbac377435f4376164175bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
6ef8aaafd38285ae60e975ab01599b40

SHA1
c94830e78c52f0df600f8d53bda217f630f8039d

SHA256
5a3771e28793e6aad11f016a1ee828d8baac812e21aef4fbaa56d3b1034734a8

SHA512
03baf68bce8af071b0b93db1bacdc917445bc736fcac0fdc3ff761006948870f103c4288150154d56c090b5f5b9df32d6c6a751fbb2781185cc7d36ff2d04e1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
db63f141c9fccf7d2f4dfa874278dcc2

SHA1
9a39ffe8b7c180d5329f5461ba33445eb0612927

SHA256
3c4b3e4f0d1069b481e1234721b2b5b13ab9d52764fbdb5324059bf96471ccca

SHA512
1ff860ce95694205c82786856c80bf53d280c5915f7873455db69099118e1cb8ffd29bd58af2d6a6965f7e45d00a8dd33963091a78910bd53a56a1cce4106a74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
0048a50a419ca3adf9dfca1cb72dc0fc

SHA1
979670e299a8e777d76e809ba5e7652963151ba1

SHA256
b60fb909f01ed52df2926f46b2a513e3776507f9856312dda325e91c0bd641fb

SHA512
5036137a75f2256f33bf6e5bd23ef0b57a66de3cd0d0f5bb123011741230c46f3d267fe5c700c5b2ae615842d81eb5f6d9c800283d619e6e05d6ca4f1100d5a1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
8cd7d3a615699c3d3564bcdf8c701725

SHA1
7663cf7a589755a72c5e96ce59a8e1795d648bb4

SHA256
3ed1fca137c079730fd2c822221402f7d1a0d5002dadca74354b9c680bc5b8ee

SHA512
8fa82d5ac3da10924460c73ee777e4e5548966a3ee8c48f354f43f4c0ddb0e5b05656571e14beacd59e6733dc295f0132450c0a31d4430758112b8faaafde68f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
d6bebab64402cb44e167ec933db82985

SHA1
5706317537404a556a7dc77565418bf2d841da44

SHA256
01275593a59791b92050d87a73deb29cbca1d807b5e9116c4b4100652e7ebf5c

SHA512
14a42665596f08dcb09442562a2ebb07b32db364332d681aecba386559409c5aad21faac947fed79cfbfd4f5747ecc1478647341cd8fd936eab7f624146cdd0f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
9b597c22676aab64456c9b1669bcc9c4

SHA1
c5afc6551684786938051032606239529c26adfd

SHA256
808bef616596a735b936eadee3150fb50aa081505cbe10970a16814d80159ad8

SHA512
2d90f99c922831e158e73bc6560b0d029ac32c0840eab68d45575be5ffb48ce06cec299eb246a6aab125f91bd4a4a3caff651d0c5e7d72af9725c81433e9c204

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
df8e1003720eb8546c3c68b6ee1d2409

SHA1
082de4bc22f7a7e5a4d8be43874821f138fcf701

SHA256
fd667475ed88a273438433b99838148c5dd4254b7c22bbadf40c4740b53ac6e7

SHA512
9ec003536f39248521f350221596d243b2c6db9f58e4c2ac446a785fdd1a63e1b006548151872420c9982b4047bdfba669be364d03454497b0f0f821d63fd418

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
f27d651bfebc861273473432e1263746

SHA1
d50bbce7a01a80ee4fe0d2981bba192dd6d6d121

SHA256
4d903dede73da896fd50ed06c894d4e24c1b325ebf25cb59476f0fef0abc36d2

SHA512
f6ffff0c065a72c611851fe2ec90bbcada7d4bfd052d3f7a8c28f37cbbb6a31b93d726f3f9dbc92a8b08b3525160f6e0dd0c9342cd13bfd448d3493bea35777e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
64B

MD5
0f68b0deee75921f762aec4496f100c4

SHA1
1efee85d9cd766292c09383a537b098e6f6fcef5

SHA256
cb43598c729e2ddaeecd18c1284effd817cc8910da5b49855c431eaf18a6c104

SHA512
b690f973eb73f035443809f175f44963ac8e8342a1eb88d84361996d505af76c3953a52041e1485aee0033ce011cf5e0c69bfb5d48843a60cb1a1bbf7896cf0f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
3e87229934cdc534c89a2f235369e02a

SHA1
dcb8f4179d087f8efb78d6d315d3c1407aa4efd0

SHA256
d7c8fddddcbcefdcbadd5befdf94a4f276db00894625e441e78fcc5b79cddcdc

SHA512
305e5cdd249dd617a7e6743db94c7edd092fc6114d90a39e96c97674958b1dabd9633aa45594a12606c1d930b42bbc29b33d66e6aee39b00f2979ec7e8468a11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
8a5bd7512783cd2839a0a04eec22f0c8

SHA1
6285307ddab16caec60d9ef5ba5175156ce8dfe8

SHA256
d3d322150dc1dc901aed1c2fd8f5146160eae9bfec3a8751af0c07b64e8ae09f

SHA512
80dc76dccc569e7c37146e846f2db7dde74cccf716d9bc5114c5e4dce71c9399abc7bdd1a80730c63f81265692ae555ee6832bce96037ae4acda21bcf1036666

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
68f9c7da5362647ca3dba35f8df6ea8a

SHA1
5b52144dfa4ce571da63ad872c9cfe96fe256f81

SHA256
b0ab84f23681fd036a5efd3cf0705526805bc12f6ebe756258115c614a3e7f7b

SHA512
0eade3f5f1f7e542710aa13fc93644552f985f9e8c8505dab2f2149965c4f1cd0af2ffd97484012b688f2370a641cd9ae0d37264098ad06a11eaf0681996cb74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
248143d9299d02d1dbf230962dbd3f1e

SHA1
57b911c0b07679e96292804d90c19416a393dca5

SHA256
75aaa924cb331707554e926082400f019929e9315e46c4a4f88f414ec8021c4b

SHA512
0481cc30b07ecec265bc950fb2830ba8821b360a0eb54b5bcc318bd84c626a580d0784c03a5947aa037916b4d52c2cb8491530770bd88467c0b4030805e6c595

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
8ce3f2098e9c7518c3cdaaf244f6c572

SHA1
272ca82c56271bd15d2eb6b69016930c76c3514c

SHA256
8b2ce68536f5a3c9b9723ffc88f988dc3bd69181e5af72013661e10f8807f1ea

SHA512
e4cdad3dfad0aca1f161d087cd490aa80d0bc2eb2b2441da555f31304447d489ad2fe3e7391f72b47ee0fe7d1529b37d4e2f34f541d1ee72b4ad82a5ac1fc907

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
415b6dcb33aa86822502cf89cd7f2d20

SHA1
201c1870c365a9c98589ebe090b2bc1f2b63cc52

SHA256
40e02f4a1ee51692b36fceb78e2707c8568a0b61a0163c1cafe0391d8c9d0329

SHA512
37d277e02c875ac1bcb6757b789b89f32a877c2aff4e2b2673a19e15c64d09a9d8fdf5c471ab9971255657286e94ea6f16757e2605f5ce95eb38e97d46846b08

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
121012abffbf8f884ee76a1693f48999

SHA1
852a621c7fe4ea922ea18fd1dcec830cfa535749

SHA256
a9dd1f80c14f6b524cb4cd2f877a65d7de785e19b982ee95f984771810849b3d

SHA512
f84d154e0de81e3c7a1ad2c3fb126783bbcbd9f0f8dba949d28422d1de2915ed5399dbf6feb7b7b1c00d926bc5ce15bf67dcd19cd76c5b767d735b3d53b4daed

Download Submit
memory/2268-4-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-3-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-2-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-0-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads