xorist | 4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa

General

Target

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Size

31KB
MD5

17203842d20a3f9f1bd351fa1e74bc0a
SHA1

aab2c104c49616776c563e667a211b62b37a2891
SHA256

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa
SHA512

b29e928a20e1969545f3172ab37a75ef8d4b3d896b68fc55a2be1ae74214d2456ce994f589feb5dc33d21d21ef3dae44d81d48fc3c524288c96d60aa6a7c053a

Score

10^/10

xorist persistence ransomware spyware

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe	family_xorist
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe	family_xorist
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe	family_xorist
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Drops file in Drivers directory 3 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Executes dropped EXE 3 IoCs

Processes:

9Jco18128GARf90.exe9Jco18128GARf90.exe9Jco18128GARf90.exe

pid process

684 9Jco18128GARf90.exe
1464 9Jco18128GARf90.exe
1812 9Jco18128GARf90.exe

pid	process
684	9Jco18128GARf90.exe
1464	9Jco18128GARf90.exe
1812	9Jco18128GARf90.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GrantSave.png => C:\Users\Admin\Pictures\GrantSave.png.greedyfuckers	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\JoinEdit.png => C:\Users\Admin\Pictures\JoinEdit.png.greedyfuckers	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\TestUnprotect.png => C:\Users\Admin\Pictures\TestUnprotect.png.greedyfuckers	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Drops startup file 1 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9Jco18128GARf90.exe"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Drops file in System32 directory 927 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_neutral_8693053514b10ee9\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_neutral_4506dea11740c089\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_neutral_061c61abd3904560\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\IME\imekr8\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\migwiz\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_neutral_14cb440c800fe9fe\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\ja-JP\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\ru-RU\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdsm.inf_amd64_neutral_be2b348981b2ef17\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr004.inf_amd64_neutral_b1d90b3749c5e6a6\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\AppInstalled.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_neutral_9209e816461a1a73\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\com\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasic\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql40xx2.inf_amd64_neutral_b95932400326817e\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0012\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\spp\tokens\pkeyconfig\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\SysWOW64\Speech\Common\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\egfhjkmobcegikmo.bmp"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Drops file in Program Files directory 4067 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SEARCH.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\CAN.WAV	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_underline.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Drops file in Windows directory 15524 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
File created	C:\Windows\PLA\Reports\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_c33f455aebcd9dbb\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediacenter-licensing_31bf3856ad364e35_6.1.7600.16385_none_1ce68bb283d4dc55\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smartcard-adm_31bf3856ad364e35_6.1.7600.16385_none_eedd94bcedc87017\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\msil_microsoft.powershell.scheduledjob_31bf3856ad364e35_7.2.7601.16406_none_2fe5162c7a82fbb8\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..pwindowmanager-udwm_31bf3856ad364e35_6.1.7600.16385_none_e4880f65da28f3d0\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-remoteregistry-service_31bf3856ad364e35_6.1.7600.16385_none_e55af7609d2857a8\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_netfx-ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_7dfc94f7357c56d2\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_netfx-mscorees_dll_31bf3856ad364e35_6.2.7601.17514_none_e38fc171883ae1dd\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.resources\v4.0_1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-ftpextensibility_31bf3856ad364e35_6.1.7600.16385_none_3f9fd9d94f9c3588\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_netfx35linq-system.web.entity_31bf3856ad364e35_6.1.7601.17514_none_3735edbaf131e268\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Hardware Insert.wav	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_prnca00y.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_644f5eb2171bf085\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a3645f7773564239\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions.help.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_fdrespub.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4ee55ea213abf40\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3-netsh-helper_31bf3856ad364e35_6.1.7601.17514_none_38cd19d2dab6f4ad\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..console-nodemanager_31bf3856ad364e35_6.1.7601.17514_none_de55c2c637a7dc61\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c38c6272b5b46eb6\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d02b5319200e88c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0b3a5269a5b18d34\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wfplwf_31bf3856ad364e35_6.1.7600.16385_none_581185b3683f7a8f\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ffde94ddcccd87c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_volume.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d71b3bdfd9a663dc\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_en-us_74a88136fae6c08c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-encoderapi_31bf3856ad364e35_6.1.7600.16385_none_3da540704023bf4f\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..nt-sku-professional_31bf3856ad364e35_6.1.7601.17514_none_a8ea294e63b19921\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mrc_31bf3856ad364e35_6.1.7600.16385_none_a7050653bd8bd66b\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_battery.inf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c317c225509402e3\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..iewer-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a52b9d33ad78a3b3\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..olsratingsystem-web_31bf3856ad364e35_6.1.7600.16385_none_d16f41774bf65418\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_fe9dd62ff9adc95e\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..collector.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4cdf0148751b64f\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-restore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_419d6bc21a76eb84\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_aspnet_compiler_b03f5f7f11d50a3a_6.1.7600.16385_none_ed4e6c0f14dce27e\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\divider-horizontal.png	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5b5d7965948b0353\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..r-chinesesimplified_31bf3856ad364e35_7.0.7600.16385_none_846207f778a0759c\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_vhdmp.inf_31bf3856ad364e35_6.1.7601.17514_none_04b663d6e03cd79b\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..d-chinese-shuangpin_31bf3856ad364e35_6.1.7600.16385_none_1e8c88df3830bbcc\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-writewin_31bf3856ad364e35_6.1.7600.16385_none_378836c309ee380e\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_netfx35linq-system.web.extensions_31bf3856ad364e35_6.1.7601.17514_none_d0811375496c7c9b\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-lz32_31bf3856ad364e35_6.1.7600.16385_none_9265d35e8abc9706\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_netfx-dw_b03f5f7f11d50a3a_6.1.7600.16385_none_5a768666c3091014\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-drvstore_31bf3856ad364e35_6.1.7601.17514_none_f2fbbf16a1c74694\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..ional-codepage-1144_31bf3856ad364e35_6.1.7600.16385_none_22d449f56b0e6ead\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..river-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0d1725f302122e12\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Battery Critical.wav	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon.resources\v4.0_3.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

Modifies registry class 10 IoCs

Processes:

4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.greedyfuckers	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\DefaultIcon	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9Jco18128GARf90.exe,0"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9Jco18128GARf90.exe"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\shell\open	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.greedyfuckers\ = "VIJXCKEJRBYMHSB"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\ = "CRYPTED!"	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\shell\open\command	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VIJXCKEJRBYMHSB\shell	4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa.bin.sample.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1584

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:1068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
"C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
"C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe"
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
1⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
"C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe"
1⤵
- Executes dropped EXE
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
MD5
17203842d20a3f9f1bd351fa1e74bc0a

SHA1
aab2c104c49616776c563e667a211b62b37a2891

SHA256
4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa

SHA512
b29e928a20e1969545f3172ab37a75ef8d4b3d896b68fc55a2be1ae74214d2456ce994f589feb5dc33d21d21ef3dae44d81d48fc3c524288c96d60aa6a7c053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
MD5
17203842d20a3f9f1bd351fa1e74bc0a

SHA1
aab2c104c49616776c563e667a211b62b37a2891

SHA256
4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa

SHA512
b29e928a20e1969545f3172ab37a75ef8d4b3d896b68fc55a2be1ae74214d2456ce994f589feb5dc33d21d21ef3dae44d81d48fc3c524288c96d60aa6a7c053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
MD5
17203842d20a3f9f1bd351fa1e74bc0a

SHA1
aab2c104c49616776c563e667a211b62b37a2891

SHA256
4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa

SHA512
b29e928a20e1969545f3172ab37a75ef8d4b3d896b68fc55a2be1ae74214d2456ce994f589feb5dc33d21d21ef3dae44d81d48fc3c524288c96d60aa6a7c053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Jco18128GARf90.exe
MD5
17203842d20a3f9f1bd351fa1e74bc0a

SHA1
aab2c104c49616776c563e667a211b62b37a2891

SHA256
4d0294b99043ac0ee0c9ce751e94f11244474803b16028347eab6437e9aaaafa

SHA512
b29e928a20e1969545f3172ab37a75ef8d4b3d896b68fc55a2be1ae74214d2456ce994f589feb5dc33d21d21ef3dae44d81d48fc3c524288c96d60aa6a7c053a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt
MD5
8490ff947218404995577a0bf9c51144

SHA1
96da7d558f62952b3815f5087a1e3d29bdada4d2

SHA256
0c5e098aab7f08f7fef5039be76caa7818ecdd572377e97070729f95e32e71df

SHA512
860ea818de7f37b243c81857c3f4682f12f3da94219501bb37c83656e4da26f1a440fa72f9c1efe3d47cd3f11e4ab291f77433646d0092860a93745adcb6065e

Download Submit
C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
MD5
8490ff947218404995577a0bf9c51144

SHA1
96da7d558f62952b3815f5087a1e3d29bdada4d2

SHA256
0c5e098aab7f08f7fef5039be76caa7818ecdd572377e97070729f95e32e71df

SHA512
860ea818de7f37b243c81857c3f4682f12f3da94219501bb37c83656e4da26f1a440fa72f9c1efe3d47cd3f11e4ab291f77433646d0092860a93745adcb6065e

Download Submit
C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt
MD5
8490ff947218404995577a0bf9c51144

SHA1
96da7d558f62952b3815f5087a1e3d29bdada4d2

SHA256
0c5e098aab7f08f7fef5039be76caa7818ecdd572377e97070729f95e32e71df

SHA512
860ea818de7f37b243c81857c3f4682f12f3da94219501bb37c83656e4da26f1a440fa72f9c1efe3d47cd3f11e4ab291f77433646d0092860a93745adcb6065e

Download Submit
memory/1624-3-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads