Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-hjh8jshr7t
Target 84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe
SHA256 84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e
Tags
credential_access defense_evasion discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e

Threat Level: Likely malicious

The file 84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe was found to be: Likely malicious.

Malicious Activity Summary

credential_access defense_evasion discovery persistence ransomware spyware stealer

Renames multiple (22655) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Indicator Removal: Clear Windows Event Logs

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Boot or Logon Autostart Execution: Print Processors

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 06:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 06:45

Reported

2025-05-15 06:48

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe"

Signatures

Renames multiple (22655) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\ja-JP\fvevol.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\i8042prt.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\netvsc.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\sdbus.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\tunnel.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\vhdmp.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\EhStorTcgDrv.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\dmvsc.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\usbstor.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\cdrom.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\Microsoft.Bluetooth.AvrcpTransport.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\vhdmp.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\bthenum.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\storqosflt.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\refs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\processr.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\modem.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\hidclass.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\pcmcia.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\pci.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\IndirectKmd.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\mouclass.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\tunnel.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\scsiport.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\ntfs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\bthport.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\refsv1.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\disk.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\UMDF\de-DE\UsbccidDriver.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\dmvsc.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\smbdirect.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\nvdimm.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\UMDF\es-ES\WUDFUsbccidDriver.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\ndis.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\luafv.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\agilevpn.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\ndis.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\acpi.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\mup.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\ja-JP\hidbth.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\UMDF\ja-JP\WUDFUsbccidDriver.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\NdisVirtualBus.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\agilevpn.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\partmgr.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\pcmcia.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\en-US\usbport.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\es-ES\pnpmem.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Application.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Internet Explorer.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Setup.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\HardwareEvents.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\de-DE\fhtask.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\de-DE\tscfgwmi.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\spp\tokens\skus\Professional\Professional-OEM-DM-2-ul-phn-rtm.xrm-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-pl-rtm.xrm-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\es-ES\MSFT_LogResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VSP-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\de-DE\lprmon.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\ppcsnap.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\vca.inf_loc C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\loadperf.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\MSFT_WindowsOptionalFeature.strings.psd1 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\sxproxy.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\TSWorkspace.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\fr-FR\CheckNetIsolation.exe.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\fr-FR\Windows.UI.PicturePassword.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventPacketCaptureProvider.format.ps1xml C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\de-DE\fpb.rs.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\ja-jp\wsdapi.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\spp\tokens\skus\Enterprise\Enterprise-Volume-CSVLK-1-ul-store-rtm.xrm-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\explorerframe.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\es-ES\dusmsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\fr-FR\dimsroam.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\uk-UA\schedsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\ja-JP\embeddedlockdownwmi.mfl C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\es-ES\ContentDeliveryManager.Utilities.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\InstallService.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\CloudNotifications.exe.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\Speech\SpeechUX\de-DE\speechuxcpl.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\ja-jp\ifmon.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\es-ES\Win32_DeviceGuard.mfl C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-CustomShellHost-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\de-DE\pcbp.rs.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\fr-FR\wdc.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\it-IT\D3DSCache.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\it-IT\UserDataService.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\fr-FR\EventTracingManagement.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Windows.UI.Input.Inking.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVm-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\DSCResourceHelper.psm1 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\scksp.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\en-US\WdacWmiProv.Dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\Keywords\ti_cnn_zh-CN.table C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-ShellLauncher-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_06bc8afcd2617abf\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_acec109593aed940\pmem.inf C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\TabSvc.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\en-US\ncrypt.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\it-IT\MSFT_RoleResourceStrings.psd1 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\es-ES\bcdboot.exe.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\twinui.appcore.dll.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.html C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Dev.msix.DATA C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\MutableBackup\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Scan_visual.svg C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\LogoDev.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\LockScreenLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\040c\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\Answer.scale-100.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsCloudIcon.scale-100.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga865.fon_08a7fd42 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\it-IT\it_IT_word_c.lm1 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\NetworkIsolation.admx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\fr-FR\ExploitGuard.adml C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.SettingsAdminFlowUIThreshold\SystemSettingsThresholdAdminFlowUI\Assets\Fonts\SetMDL2.ttf C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55_memtest.efi.mui_71e15c22 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_it-it_5848673efb3c9ce2_wlrmdr.exe.mui_ee563c83 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_de-de_36b58c017f3edc8c_ws2ifsl.sys.mui_b672c7b4 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_inf_.netframework_0c0a_fd6b7fcf492701e0.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Cursors\lwe.cur C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\resources.en-US.pri C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemResources\mmcndmgr.dll.mun C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_d05d0ca80efc5352_memtest.efi.mui_71e15c22 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\5bbf36e940b3edeb9f861f524afe605e8f43962ff7df5e1f0e8b920aa6837c49.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\90cf7eb4e698c218e0e31b44329a33e9890e68a32082ac54810144a0a1f8aa34.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\INF\ESENT\0411\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1_none_5668fec1a41d6ac1.manifest C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy_assets_c21827d4b5b1e098.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\program_files_windows_nt_accessories_156d2b9b22040474.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\program_files_windowspowershell_modules_microsoft.powershell.operation.validation_1.0.1_test_modules_e8d0be90463f9526.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PrintDialog\pris\resources.en-US.pri C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgasys.fon_5d8bebb4 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\3ef03c3ddba3d57b9c41c3bb18f913513f9f904d8bc109b918603d926ca01d1d.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\INF\prnms004.inf C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_gen.htm C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemResources\tapiui.dll.mun C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_datasvcutil.resources_b77a5c561934e089_4.0.15805.0_es-es_2b5cf3604a5d6947.manifest C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\es-ES\WinCal.adml C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\it-IT\Desktop.adml C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\pris\resources.fr-FR.pri C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Square44x44Logo.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_wfplwfs.sys_df3e0120 C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_speech_onecore_engines_tts_fr-fr_f906afed4a66a22d.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_avc.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_2118dc217a1f3309.manifest C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\oobe-desktop.css C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\3642cfd96cb154878c86ba96a5e85528bc1ebec28c32a753ea7b3e6f4f27f687.cat C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_syswow64_installshield_setupdir_0404_5cf94eeaecb97d26.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\program_files_x86_windowspowershell_modules_microsoft.powershell.operation.validation_1.0.1_test_mod_50efb57bfee10fa1.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\INF\mdmsuprv.inf C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\es\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_tr-tr_598a7972aa1517cc.manifest C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.xml.serialization_v4.0_4.0.0.0_b77a5c561934e089_6ff3201afb2eac30.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Installer\82a0.msi C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.resx C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_branding_basebrd_uk-ua_7027bafd15acef2f.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscclassresources_windowspack_4a00dae890140b2c.cdf-ms C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\es-ES\Desktop.adml C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\READTHISNOW.txt C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\BreadcrumbScrollRightHover.png C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe

"C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

C:\8e056885788215100b95f8050bba49\READTHISNOW.txt

MD5 8ab863dd5654b1d2fc00b0ee491c1193
SHA1 5f9795c4d306ed1852ab75e3f1f8fed825033a70
SHA256 4c37cea4272a4638452f3d74ef337f6f5eb33ec065284fe40352d8a95e5a7ccc
SHA512 ec91450d3ff76fdc9648ae88c8817d486aee21783cece971862344e07348ded30e22e11c196829cd8e96c7e341c84e81216769a6792794031990f91909591142

C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini

MD5 e8cb0adf38a2b8c8a20227ac3b5879b1
SHA1 000c0937dc913adc9b1ee593fc0fbc035b420b29
SHA256 91605fe1ae56c359d6afce862de8f2a09a0dbc0834f63f44655a8e625b7e740a
SHA512 fd86c734a9bfd0d67a3f5f541643c341f9561009ab8147396f0fa39e901be031d86a3e549b70b0201147240b1e5dc90e2d0079e5563552235d7fa6c193e6b469