Analysis
-
max time kernel
72s -
max time network
28s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-12-2020 14:08
Static task
static1
Behavioral task
behavioral1
Sample
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe
-
Size
12KB
-
MD5
0a5e38ff165e9e78e58fd5b47b19b86a
-
SHA1
d0cccb38776b7390bf8b0fc5ebe14a75b1dfa3ef
-
SHA256
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5
-
SHA512
330c946e02bab30f4f33a6b246c0ad3d83438dddd1572d499aca2af5a1789714b81ba08729c2917ad8b6090ccb2b476d3a88f6bfd537ebd5a2f0e8ff9048ab67
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-293278959-2699126792-324916226-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Attention! All your files are encrypted!
To restore your files and access them,
please send an SMS with the text [email protected]
You have 70 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!
Price of private key and decrypt software is $50.
Discount 50% available if you contact us first 72 hours, that�s price for you is $25.
BTC Wallet: 37t6hwuzJbq6PtEgaxyS3AWyLS99qMGrt8
Bitcoin ee Transfer korte na parle Bkash ee Trasnfer korte parbn tk2500[3days]
Contact me here: [email protected]
Emails
Wallets
37t6hwuzJbq6PtEgaxyS3AWyLS99qMGrt8
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterSelect.png => C:\Users\Admin\Pictures\EnterSelect.png.BD 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File renamed C:\Users\Admin\Pictures\SetEnter.png => C:\Users\Admin\Pictures\SetEnter.png.BD 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File renamed C:\Users\Admin\Pictures\UnblockExit.png => C:\Users\Admin\Pictures\UnblockExit.png.BD 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Drops startup file 1 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WU17sDZVZ12PQjL.exe" 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Drops file in System32 directory 927 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasApi-MigPlugin\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0024\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0816\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_neutral_e567adb271831b5d\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\en-US\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_neutral_3db956c41708f7f5\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmneuhs.inf_amd64_neutral_d1563e8412461eea\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfport.inf_amd64_neutral_f41f35e5c21bc350\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\001a\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\tsusbhubfilter.inf_amd64_neutral_d0615d6fd67bad03\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Column.bmp 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_neutral_34624840c3163a38\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_neutral_4c228493af8567bb\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid4.inf_amd64_neutral_65ab84e9830f6f4b\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\de-DE\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-international-core\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0019\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_neutral_085226e1dfe76c55\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\sr-Latn-CS\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\scsidev.inf_amd64_neutral_a7f5d9f34b621dca\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_neutral_ece4b1cc5aee6a38\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_neutral_bbcfca39fdc02275\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Drops file in Program Files directory 4064 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File created C:\Program Files (x86)\Google\Update\1.3.35.452\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_ON.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14677_.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Drops file in Windows directory 15524 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_snow.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac-oledb-vbs_31bf3856ad364e35_6.1.7600.16385_none_fa6fb0d85914f26e\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..mmaintenanceservice_31bf3856ad364e35_6.1.7601.17514_none_9b73f7b9f6d6dd18\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-srhelper_31bf3856ad364e35_6.1.7600.16385_none_0ad949a3742e9872\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33ca509b38470ebb\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\Web\Wallpaper\Landscapes\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_964da911ba806d45\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_6.1.7601.17514_none_10549c4b57020e7c\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\performance.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tpm-tbs-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3d6364828cca0cab\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_793bb4aa96902fa7\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f34361298f0b5882\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..estore-propertypage_31bf3856ad364e35_6.1.7601.17514_none_e907844a97552799\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\6ed2b26c49820b85b9f78ac7abceefa9\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_c25bebf1075ff6aa\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_type_operators.help.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_81d82fe9c216eb89\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_6.1.7600.16385_none_455eca447f151391\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-usercpl_31bf3856ad364e35_6.1.7601.17514_none_e9f4f9f264be3731\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-synchost_31bf3856ad364e35_6.1.7600.16385_none_cfcaa9124aa42f85\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\(120DPI)alertIcon.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_netfx-clr_mof_b03f5f7f11d50a3a_6.1.7601.17514_none_2247aad307749dd3\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_mchgr.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fd11d213229f2cdd\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..em-core-classdriver_31bf3856ad364e35_6.1.7600.16385_none_8bf97498085ce154\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Linq\1efa0826492fcfdac41786f53d12106e\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_25d85b4a3e4a7709\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..ingwizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f51b73226ad24ea\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Break.help.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-shacct_31bf3856ad364e35_6.1.7601.17514_none_c8099d957fb7652d\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_74c08aa44dd33c76\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-keyboard-kbdcr_31bf3856ad364e35_6.1.7600.16385_none_d2b65c87335d3038\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msaatext.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f5f93cf9ca098ea3\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_netfx-mscortim_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_5b77eded0caaaee2\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_ja-jp_b967bc95f18be8a7\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_d61b29a61a7467d6\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_3f24ea55fd2a4156\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_05c5e84e9f9316bf\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_58b4153116c17b41\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sigverif_31bf3856ad364e35_6.1.7600.16385_none_178e7604150fa952\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_f0c9665f2e20a28a\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_7.2.7601.23317_none_15826c45002808dc\Windows PowerShell.lnk 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_netloop.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f643994ba4a197b9\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1152ea63f00f2164\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5b5d7965948b0353\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-v..virtualdiskprovider_31bf3856ad364e35_6.1.7600.16385_none_59631737001e424e\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bfd4501165b6d6c1\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_mdmarn.inf_31bf3856ad364e35_6.1.7600.16385_none_36c04b56b6587575\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationUp_ButtonGraphic.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.18216_none_5b589c6dbd59342a\Windows PowerShell Modules.lnk 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\corner.png 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c38c6272b5b46eb6\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Management.Activities\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bb8769138813077\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-acluifilefoldercomtool_31bf3856ad364e35_6.1.7600.16385_none_58257acb668f62bc\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-opengl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fb3c72b3ee8af6e5\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img7.jpg 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..ed-chinese-csapplet_31bf3856ad364e35_6.1.7600.16385_none_a7cb04c72ed0c12b\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_6.1.7601.17514_none_b43600c79ea49d46\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-encryptfilesonmove-adm_31bf3856ad364e35_6.1.7600.16385_none_0f3bfe2038024204\HOW TO DECRYPT FILES.txt 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe -
Modifies registry class 10 IoCs
Processes:
319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\ = "CRYPTED!" 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WU17sDZVZ12PQjL.exe,0" 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\shell\open\command 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\shell 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BD 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\DefaultIcon 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\shell\open 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZFUOCNFJDMPZDFQ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WU17sDZVZ12PQjL.exe" 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BD\ = "ZFUOCNFJDMPZDFQ" 319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe"C:\Users\Admin\AppData\Local\Temp\319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class