Analysis
-
max time kernel
133s -
max time network
32s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 11:48
Static task
static1
Behavioral task
behavioral1
Sample
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Resource
win10v20210408
General
-
Target
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
-
Size
65KB
-
MD5
bff66efddf31e2835e50c778f0c338cd
-
SHA1
0b0e24bd3b6889b10ea6f77f8ffd19b489da4e2f
-
SHA256
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56
-
SHA512
0c781af46d4a366a3768faa3fa76e69a1532459a1a521d1048e485ef079c03716214c0c13abab1b2b67504ade3fd2316cdaf681f18129f98b82e92d66c32cdec
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Drops startup file 1 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe" 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Drops file in System32 directory 64 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process File opened for modification C:\Windows\System32\catroot2\edb0046B.log 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_neutral_b7f0a8d5f67c19e8\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManaged.xsd 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmeric.inf_amd64_neutral_27c5b45728cc9ed0\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\040c\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\sl-SI\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc1.inf_amd64_neutral_662220c3016bb4d0\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\wdi\perftrack\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\block.xsd 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\kscaptur.inf_amd64_neutral_6cb3fb6811a3f83d\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\Msdtc\Trace\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\System32\catroot2\edb0046D.log 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\SysWOW64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_neutral_15011483bd8465c4\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Drops file in Program Files directory 64 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Common Files\System\en-US\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\DVD Maker\Shared\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Microsoft Office\Office14\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jre7\lib\jfxrt.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Drops file in Windows directory 64 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-netlogon-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5913ecb0e9673c8b\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.1.7600.16385_none_3ab448bad591f6d2\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_setup-uxwizard-clientimages_31bf3856ad364e35_6.1.7600.16385_none_48ada01d8ff36e68\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_server-help-chm.ieakmmc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bda5ac8bddbb105e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39206df4436123fa\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_47010afb4eca8141\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-msvcirt_31bf3856ad364e35_6.1.7600.16385_none_60937a05ff5c9c47\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_mdmbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_bff4698a07fe9888\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Break.help.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..gtool-app.resources_31bf3856ad364e35_6.1.7600.16385_en-us_059b965799e73c9e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_prnca00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4ed6b2645da24a96\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00030409_31bf3856ad364e35_6.1.7600.16385_none_3a72c5cf87b4fe0f\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Expressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_wcf-icardres_dll_vista_31bf3856ad364e35_6.1.7600.16385_none_10e3a225cc2bba9d\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_prnlx00y.inf_31bf3856ad364e35_6.1.7600.16385_none_6da71899bd79901d\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-wpd-status_31bf3856ad364e35_6.1.7601.17514_none_0e6a9cf837b64185\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_prompts.help.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote_requirements.help.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_edb61e94e4562781\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-onexschema_31bf3856ad364e35_6.1.7600.16385_none_b137228160080e7e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_prnkm002.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_87d7c89275006caa\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\7a64cac99250742a5f555e238496ff78\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\inf\BITS\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_7c6c058f3c03e7a2\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-harddev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f5c5d10f1763f320\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\wow64_microsoft-windows-powershell-message_31bf3856ad364e35_7.2.7601.23317_none_4feb5bb8c63259d5\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..converter.resources_31bf3856ad364e35_8.0.7600.16385_en-us_659f28693168f6d9\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..aticcontentbinaries_31bf3856ad364e35_6.1.7601.17514_none_d43ded6d302dca69\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-10010_31bf3856ad364e35_6.1.7600.16385_none_809f8138e204f251\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1b91fd67cd4e5ad6\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.iTV.Media\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Resources\Themes\Aero\Shell\NormalColor\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_50f69335385bc360\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_prngt003.inf_31bf3856ad364e35_6.1.7600.16385_none_a02d5f54e55bd238\Amd64\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\5cae93d923c8378370758489e5535820\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_troubleshooting.help.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_netfx-webhightrust_config_default_b03f5f7f11d50a3a_6.1.7600.16385_none_b6b096b0fd71600e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4b697e9c79bef952\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aa2abb885e448df3\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-servicereportingapi_31bf3856ad364e35_6.1.7600.16385_none_c895144f92ce0a2e\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wincal-adm_31bf3856ad364e35_6.1.7600.16385_none_793f2aa0e2c738e8\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\bc98161a485ea05967844bc0b0c55338\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-powercpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a335901163b4902\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_netfx-microsoft.jscript_b03f5f7f11d50a3a_6.1.7600.16385_none_f371f988e550616a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_server-help-chm.nfs_client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eee4d425ea1d96c2\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\en-US\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_74a07663e30b3b7f\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sigverif_31bf3856ad364e35_6.1.7600.16385_none_178e7604150fa952\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\x86_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_ca0a23a23bc12926\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-737_31bf3856ad364e35_6.1.7600.16385_none_2ae55e46b4dd0be2\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote_FAQ.help.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cc15e7c725d93018\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.AddIn.Contra#\eadb7dd5fe85da92b491154484bc40e3\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\inf\ASP.NET\0416\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Reader\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1432 1244 WerFault.exe -
Modifies registry class 10 IoCs
Processes:
6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip\ = "OGPGKRTRABCQPJW" 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe,0" 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe" 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\ = "CRYPTED!" 6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1432 WerFault.exe 1432 WerFault.exe 1432 WerFault.exe 1432 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1432 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1432 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe"C:\Users\Admin\AppData\Local\Temp\6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1632
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1244 -s 11641⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1432