Analysis Overview
SHA256
84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e
Threat Level: Likely malicious
The file 84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (22655) files with added filename extension
Drops file in Drivers directory
Reads user/profile data of web browsers
Indicator Removal: Clear Windows Event Logs
Drops startup file
Credentials from Password Stores: Windows Credential Manager
Boot or Logon Autostart Execution: Print Processors
Drops desktop.ini file(s)
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Browser Information Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-15 06:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 06:45
Reported
2025-05-15 06:48
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Renames multiple (22655) files with added filename extension
Drops file in Drivers directory
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Application.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Setup.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Downloaded Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Media\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\de-DE\fhtask.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\tscfgwmi.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\spp\tokens\skus\Professional\Professional-OEM-DM-2-ul-phn-rtm.xrm-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-8-pl-rtm.xrm-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\es-ES\MSFT_LogResource.schema.mfl | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VSP-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\lprmon.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\ppcsnap.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\vca.inf_loc | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\loadperf.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\MSFT_WindowsOptionalFeature.strings.psd1 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\sxproxy.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\TSWorkspace.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\CheckNetIsolation.exe.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\Windows.UI.PicturePassword.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\SysWOW64\IME\SHARED\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventPacketCaptureProvider.format.ps1xml | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\fpb.rs.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\ja-jp\wsdapi.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\spp\tokens\skus\Enterprise\Enterprise-Volume-CSVLK-1-ul-store-rtm.xrm-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\AutoRecover\0F6999175ECAE7FD86A81D5F3AC1FA46.mof | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\AutoRecover\6D15B1C3AE92D91DCD86360CCC4F53B4.mof | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\explorerframe.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\dusmsvc.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\dimsroam.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\uk-UA\schedsvc.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\ja-JP\embeddedlockdownwmi.mfl | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\cdosys.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\ContentDeliveryManager.Utilities.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\InstallService.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\CloudNotifications.exe.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\Speech\SpeechUX\de-DE\speechuxcpl.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\ja-jp\ifmon.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\es-ES\Win32_DeviceGuard.mfl | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-CustomShellHost-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\pcbp.rs.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\wdc.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\D3DSCache.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\UserDataService.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\fr-FR\EventTracingManagement.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Windows.UI.Input.Inking.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVm-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\DSCResourceHelper.psm1 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\scksp.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\en-US\WdacWmiProv.Dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Keywords\ti_cnn_zh-CN.table | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-ShellLauncher-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_06bc8afcd2617abf\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_acec109593aed940\pmem.inf | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\TabSvc.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\ncrypt.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\it-IT\MSFT_RoleResourceStrings.psd1 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\bcdboot.exe.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\AutoRecover\AE25594AECD77BF35F6E794162F4DD77.mof | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\twinui.appcore.dll.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.html | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Dev.msix.DATA | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WideTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\MutableBackup\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Scan_visual.svg | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\net.properties | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-100.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\LogoDev.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\en-US\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\Windows Media Player\es-ES\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-200.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\LockScreenLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\040c\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSplashScreen.scale-150.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\Answer.scale-100.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsCloudIcon.scale-100.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga865.fon_08a7fd42 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\it-IT\it_IT_word_c.lm1 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\NetworkIsolation.admx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\fr-FR\ExploitGuard.adml | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.SettingsAdminFlowUIThreshold\SystemSettingsThresholdAdminFlowUI\Assets\Fonts\SetMDL2.ttf | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_it-it_5848673efb3c9ce2_wlrmdr.exe.mui_ee563c83 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_de-de_36b58c017f3edc8c_ws2ifsl.sys.mui_b672c7b4 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_inf_.netframework_0c0a_fd6b7fcf492701e0.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Cursors\lwe.cur | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.ja.resx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\resources.en-US.pri | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\mmcndmgr.dll.mun | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_d05d0ca80efc5352_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Catalogs\5bbf36e940b3edeb9f861f524afe605e8f43962ff7df5e1f0e8b920aa6837c49.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Catalogs\90cf7eb4e698c218e0e31b44329a33e9890e68a32082ac54810144a0a1f8aa34.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\INF\ESENT\0411\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.it.resx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1_none_5668fec1a41d6ac1.manifest | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy_assets_c21827d4b5b1e098.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\program_files_windows_nt_accessories_156d2b9b22040474.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\program_files_windowspowershell_modules_microsoft.powershell.operation.validation_1.0.1_test_modules_e8d0be90463f9526.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PrintDialog\pris\resources.en-US.pri | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgasys.fon_5d8bebb4 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Catalogs\3ef03c3ddba3d57b9c41c3bb18f913513f9f904d8bc109b918603d926ca01d1d.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\INF\prnms004.inf | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_gen.htm | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\tapiui.dll.mun | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_datasvcutil.resources_b77a5c561934e089_4.0.15805.0_es-es_2b5cf3604a5d6947.manifest | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\es-ES\WinCal.adml | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\it-IT\Desktop.adml | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\pris\resources.fr-FR.pri | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Square44x44Logo.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_wfplwfs.sys_df3e0120 | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_speech_onecore_engines_tts_fr-fr_f906afed4a66a22d.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_avc.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_2118dc217a1f3309.manifest | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\oobe-desktop.css | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Catalogs\3642cfd96cb154878c86ba96a5e85528bc1ebec28c32a753ea7b3e6f4f27f687.cat | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_syswow64_installshield_setupdir_0404_5cf94eeaecb97d26.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\program_files_x86_windowspowershell_modules_microsoft.powershell.operation.validation_1.0.1_test_mod_50efb57bfee10fa1.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmsuprv.inf | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\es\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_tr-tr_598a7972aa1517cc.manifest | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.xml.serialization_v4.0_4.0.0.0_b77a5c561934e089_6ff3201afb2eac30.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Installer\82a0.msi | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.resx | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_branding_basebrd_uk-ua_7027bafd15acef2f.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscclassresources_windowspack_4a00dae890140b2c.cdf-ms | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\es-ES\Desktop.adml | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\READTHISNOW.txt | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\BreadcrumbScrollRightHover.png | C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe | N/A |
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe
"C:\Users\Admin\AppData\Local\Temp\84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
Files
C:\8e056885788215100b95f8050bba49\READTHISNOW.txt
| MD5 | 8ab863dd5654b1d2fc00b0ee491c1193 |
| SHA1 | 5f9795c4d306ed1852ab75e3f1f8fed825033a70 |
| SHA256 | 4c37cea4272a4638452f3d74ef337f6f5eb33ec065284fe40352d8a95e5a7ccc |
| SHA512 | ec91450d3ff76fdc9648ae88c8817d486aee21783cece971862344e07348ded30e22e11c196829cd8e96c7e341c84e81216769a6792794031990f91909591142 |
C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini
| MD5 | e8cb0adf38a2b8c8a20227ac3b5879b1 |
| SHA1 | 000c0937dc913adc9b1ee593fc0fbc035b420b29 |
| SHA256 | 91605fe1ae56c359d6afce862de8f2a09a0dbc0834f63f44655a8e625b7e740a |
| SHA512 | fd86c734a9bfd0d67a3f5f541643c341f9561009ab8147396f0fa39e901be031d86a3e549b70b0201147240b1e5dc90e2d0079e5563552235d7fa6c193e6b469 |