6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56

General

Target

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Size

65KB
MD5

bff66efddf31e2835e50c778f0c338cd
SHA1

0b0e24bd3b6889b10ea6f77f8ffd19b489da4e2f
SHA256

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56
SHA512

0c781af46d4a366a3768faa3fa76e69a1532459a1a521d1048e485ef079c03716214c0c13abab1b2b67504ade3fd2316cdaf681f18129f98b82e92d66c32cdec

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt

Ransom Note

your network has been infected due to improper browsing with infected html :( * all data has been locked with a unique key and has become .btCry_zip :( * without the unique key, it is impossible to bring your data to the state of origin :( * with the exclusive key in hand, it takes 20 minutes to unlock your data :) * you can get this key for just a fee. contact us email: [email protected] send id along with email id-67588824752785452767452345237499285 PS: * do not rename or change the extension of the files, as this will corrupt the renamed file : ( * no need to format or reinstall Windows :) * do not post this message on a third party website, as they will block the only contact email :( as proof of trust send me a file of up to 1 mb which i will return to you in its original state :)))) contact us until 04/13/2021

Emails

[email protected]

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 1 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe"	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Drops file in System32 directory 64 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_bfb4ade6fe41e3be\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl2.inf_amd64_17ed6c3130d87c50\amd64\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Kds\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_689c091fcb0721a2\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\block.xsd	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmetri.inf_amd64_998d032450dfea33\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrgl.inf_amd64_d23b88063aa01b83\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0014\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_1977b59d655e7974\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacl2.inf_amd64_d0fd8eb0443cec17\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedProperty.xsd	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_708bf820d108f94f\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_88b9ac0a07b44bf8\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_1ec82056f3f0dbe7\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\troubleshooting.xsd	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_2e08c158fa6dcbb9\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_c85f2acdcfd80e25\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\es-MX\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\Dism\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\fr-FR\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\IME\IMETC\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\glossary.xsd	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_b3ecd559f2f47852\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_a0c33f7e7e10db98\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl5.inf_amd64_d79d88c2b839182e\amd64\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP830\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\faq.xsd	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_2a131294b3b6a2e9\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_35a3e38b825e5c32\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_291f12bd323b3ff3\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_cabeac16a0ac4ce6\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_48b4ac6fad1cc2df\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidinterrupt.inf_amd64_635040de0340705f\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_9e4fd69bbfb40126\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_5a552c4209011069\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG6100\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_34edb3ca4931f453\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_pcmcia.inf_amd64_abfb9c9f424c2394\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl4.inf_amd64_9412589272562044\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_01a16e5ddbb3eb7a\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wave.inf_amd64_89288a60759a1479\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaek002.inf_amd64_f5e1942118a448c2\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\buttonconverter.inf_amd64_5c4bad3483bbad72\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl006.inf_amd64_dcae7410e66d3b79\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmomrn3.inf_amd64_eb80d126438b8a47\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\spp\tokens\legacy\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_sslaccel.inf_amd64_462ecd41ee62a3ea\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_bab2522375bff9e1\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_1f89c8c94de5a0ef\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Drops file in Program Files directory 64 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Windows NT\TableTextService\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Tips_3.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\_Resources\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Upsell_Image.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jaccess.jar	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Drops file in Windows directory 64 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..cognition.resources_31bf3856ad364e35_10.0.15063.0_en-us_eef2a2dd5f07b3fd\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_10.0.15063.0_en-us_75de4cc4596ef9ee\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_1.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_dual_wvmbus.inf_31bf3856ad364e35_10.0.15063.0_none_314584896911f2d0\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..tem-tracedatahelper_31bf3856ad364e35_10.0.15063.0_none_061f1f1a444142e6\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dolbyatmosdecmft_31bf3856ad364e35_10.0.15063.0_none_caaf10c64bd18229\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..-disconnecteddriver_31bf3856ad364e35_10.0.15063.0_none_09e7ac1b8e49f1e2\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_netfx4-presentationframework.aerolite_b03f5f7f11d50a3a_4.0.14917.0_none_cef25aaae6212247\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_wpcip.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_6d231c7e0884a422\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ent-indexing-common_31bf3856ad364e35_10.0.15063.0_none_17c7e7040fdf0b5e\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35_10.0.15063.0_none_b54bfc93609a427f\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-a..recording.resources_31bf3856ad364e35_10.0.15063.0_en-us_0cce1e83acf7fbf9\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_10.0.15063.0_en-us_235520e08a5dda03\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scheduleui.resources_31bf3856ad364e35_10.0.15063.0_en-us_b46246343c13c108\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-textpredictionengine_31bf3856ad364e35_10.0.15063.0_none_32e6c8877457077c\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-timeout.resources_31bf3856ad364e35_10.0.15063.0_en-us_d44e513ddf2fc0bc\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.threading.overlapped_b03f5f7f11d50a3a_4.0.15552.17062_none_e8ae79442ff9c935\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..andlers-geolocation_31bf3856ad364e35_10.0.15063.0_none_51b851a5cb22f494\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_74f337a384d48982\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_system.io.unmanagedmemorystream_b03f5f7f11d50a3a_4.0.15552.17062_none_b9dd14edfb5484cb\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cabinet_31bf3856ad364e35_10.0.15063.0_none_52a7d4a84f1b2fa9\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.15063.0_none_a9189f4a542b7fd6\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_netfx-_vc_assembly_linker_messages_b03f5f7f11d50a3a_10.0.15063.0_none_1e8167d24169b4a6\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..resources.resources_31bf3856ad364e35_10.0.15063.0_en-us_baf82f42446793a0\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-http.resources_31bf3856ad364e35_10.0.15063.0_en-us_240931ff0f14501b\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..structure.resources_31bf3856ad364e35_10.0.15063.0_en-us_ff4e1dabc878c69d\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_5eea0164295dba70\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_hyperv-ux-ui-vmcreate_31bf3856ad364e35_10.0.15063.0_none_e85b4993a3dda001\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_ieexec_b03f5f7f11d50a3a_10.0.15063.0_none_3830d2bda4126472\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\manifests\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ad-events-container_31bf3856ad364e35_10.0.15063.0_none_03b5a139ba4530d0\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnpsysprep_31bf3856ad364e35_10.0.15063.0_none_52d154b5efe11890\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_system.servicemodel.duplex_b03f5f7f11d50a3a_4.0.15552.17062_none_c4151062fcf80c62\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnphotplugui.resources_31bf3856ad364e35_10.0.15063.0_en-us_4439ffbf4a9e1056\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_system.componentmodel.composition_b77a5c561934e089_4.0.15552.17062_none_53a8233e91644210\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..-wow64-setupdll0416_31bf3856ad364e35_10.0.15063.0_none_ff87d6fee8e0e1de\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-uninstallpersistsqlstate_sql_b03f5f7f11d50a3a_4.0.14917.0_none_926a136fa20fa254\UninstallPersistSqlState.sql	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_dual_c_avc.inf_31bf3856ad364e35_10.0.15063.0_none_6805bc676c90c4c4\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-logon-adm_31bf3856ad364e35_10.0.15063.0_none_e64cafad981c11cc\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..p-mountpointmanager_31bf3856ad364e35_10.0.15063.0_none_020e5f061b5ea417\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_netfx4-system.data.entity.design_b03f5f7f11d50a3a_4.0.14917.0_none_f17bc6f4a0563b50\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\Branding\Basebrd\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mail-app_31bf3856ad364e35_10.0.15063.0_none_026c06c18883ec63\ShadesOfBlue.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_10.0.15063.0_none_4b73d72886738330\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_10.0.15063.0_none_718feaaf1e69cd24\TableTextServiceDaYi.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.15063.0_none_3c065a035d44d0c7\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_10.0.15063.0_none_e07399a10617ba72\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_napinit.resources_31bf3856ad364e35_10.0.15063.0_en-us_2e27a90144b6ecca\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\3.jpg	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderSchema.sql	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_c_swcomponent.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_46e17da09531c24c\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c...speechhelp.cortana_31bf3856ad364e35_10.0.15063.0_none_e1bce38acad169f7\SpeechHelp_AssistantEnabled_ja.json	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_multipoint-wmswssgcommon.resources_31bf3856ad364e35_10.0.15063.0_en-us_1248dcce5a632eeb\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-runonce.resources_31bf3856ad364e35_10.0.15063.0_en-us_2697a55151507343\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.administration.resources_31bf3856ad364e35_10.0.15063.0_en-us_517c4979b6b525e7\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.management.webdav_31bf3856ad364e35_10.0.15063.0_none_7ba6ea41090743aa\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_mdmcxpv6.inf_31bf3856ad364e35_10.0.15063.0_none_d45b568e9fb19498\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\amd64_netfx-iiehost_b03f5f7f11d50a3a_10.0.15063.0_none_e20e4d83f06e7425\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..-wow64-setupdll000e_31bf3856ad364e35_10.0.15063.0_none_fd1a7e9ceaa69812\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_10.0.15063.0_en-us_6e57914c1db3ab9f\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2844 2740 WerFault.exe
1796 3748 WerFault.exe explorer.exe

pid	pid_target	process	target process
2844	2740	WerFault.exe
1796	3748	WerFault.exe	explorer.exe

Modifies registry class 10 IoCs

Processes:

6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\ = "CRYPTED!"	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe,0"	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe"	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip\ = "OGPGKRTRABCQPJW"	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open	6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe
1796	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2844	WerFault.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeShutdownPrivilege	3748	explorer.exe
Token: SeCreatePagefilePrivilege	3748	explorer.exe
Token: SeDebugPrivilege	1796	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe
"C:\Users\Admin\AppData\Local\Temp\6dd4af7019dba1ff08c306fa73d3069c267c4f3d709ef7e8a5d718dbee7b7e56.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 6800
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3748 -s 1892
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.btCry_zip
MD5
b49339d686de442f8a300e8c5e1833a8

SHA1
24f53b3073b266fdd8adb91e4f79f3025fab98e8

SHA256
f3e3db5624988feb2bf625a633c18632abf4dcfd914b7b96bc444a4a40ef0ddf

SHA512
b33b6226be96bafe6504f90be9e244b787c6d07d62a2b9465f60bca415929c13891df984dae3f2d6d33cdf138891afe7570917d75feed03173b112696d160021

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.btCry_zip
MD5
a0d1086b50b66907c76ecabd78b4624d

SHA1
41d648ca84595e078baf0ae6be813d97a797036b

SHA256
8d3e1c3600847d84691c0f00ccda506924feedebb02bac9a2e06d5e422b4b26d

SHA512
8ebe71d1742693f477dea70bc2afec6938f836596f7277f40e85a6ebb24d42ce2705958784ea7e95513c81570595cc5a081d22ef8345d5356582a8de0edb5b31

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads