5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c

General

Target

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Size

70KB
MD5

0a6cc2a5fd2701a3d80cca1438c4950d
SHA1

260f28d8fde4bccee35b4c5a80568ca431e13435
SHA256

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c
SHA512

e70ce320f088aec289b9ae8c5ed539d6f10581544b53a23053746514744f51556c8fcdb193f6c88421b1bc22e5bdfd1270c5048e9fb8da391e5dcc0d2a157152

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt

Ransom Note

your network has been infected due to improper browsing with infected html :( * all data has been locked with a unique key and has become .btCry_zip :( * without the unique key, it is impossible to bring your data to the state of origin :( * with the exclusive key in hand, it takes 20 minutes to unlock your data :) * you can get this key for just a fee. contact us email: btcontact@protonmail.com send id along with email id-67588824752785452767452345237499285 PS: * do not rename or change the extension of the files, as this will corrupt the renamed file : ( * no need to format or reinstall Windows :) * do not post this message on a third party website, as they will block the only contact email :( as proof of trust send me a file of up to 1 mb which i will return to you in its original state :)))) contact us until 04/13/2021

Emails

btcontact@protonmail.com

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Drops startup file 1 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe"	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Drops file in System32 directory 64 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\blockSoftware.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_neutral_93a886f96cea2847\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\command.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\glossary.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_neutral_15940559c66fe8d9\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\System32\catroot2\edb00466.log	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_neutral_7617862a9cc286da\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\shellExecute.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001d\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\slmgr\0409\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\System32\catroot2\edb00468.log	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kscaptur.inf_amd64_neutral_6cb3fb6811a3f83d\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\Amd64\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\SysWOW64\IME\imekr8\applets\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\System32\catroot2\edb00467.log	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Drops file in Program Files directory 64 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\MSBuild\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\local_policy.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GreenTea.css	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Windows Defender\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Drops file in Windows directory 64 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_7.2.7601.16406_none_b9b179cff84db116\shellExecute.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ef5713984067904\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins.resources_31bf3856ad364e35_7.2.7601.16406_en-us_d170887b00acf860\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll000e_31bf3856ad364e35_6.1.7600.16385_none_47fb970acb88e551\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00040409_31bf3856ad364e35_6.1.7600.16385_none_dd9109d87a461b48\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad0a17d9536dd7dc\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..rvice-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7aab257fcb5a97d1\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft.powershell.dsc.managedworker_31bf3856ad364e35_7.2.7601.16406_none_bd9c32efc7c36e07\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..console-nodemanager_31bf3856ad364e35_6.1.7601.17514_none_de55c2c637a7dc61\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ilerepair.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9ed373c17361cf1b\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-21866_31bf3856ad364e35_6.1.7600.16385_none_53e2c911465b0612\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-scheduleui_31bf3856ad364e35_6.1.7600.16385_none_74990c26730e98ea\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_6.1.7600.16385_none_d96db983ac8462fd\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UnInstallProfile.SQL	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_7.2.7601.16406_en-us_5de7740e135ecf6a\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..-resolver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ff5a9d71ce66290\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ional-chinese-array_31bf3856ad364e35_6.1.7600.16385_none_c0cebfe77b9f6973\TableTextServiceArray.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_mdmiodat.inf_31bf3856ad364e35_6.1.7600.16385_none_a748894c03713031\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\msil_system.data.services.client_b77a5c561934e089_6.1.7601.17514_none_f18a3b06e9085403\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\assembly\GAC_MSIL\napsnap\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.powershell.dsc.events_31bf3856ad364e35_7.2.7601.23317_none_3157c00d916d5635\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mscat32-dll_31bf3856ad364e35_6.1.7600.16385_none_80ba6a1a80d90497\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msidle_31bf3856ad364e35_6.1.7600.16385_none_cb5832fe03fa7bbb\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Comment_Based_Help.help.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_en-us_721c93346b019af5\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_6.1.7601.17514_none_4d76defd6af4a83e\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0016fab65007326\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20284_31bf3856ad364e35_6.1.7600.16385_none_54daffab45b92421\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.1.7600.16385_none_02a1a2d949085578\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_en-us_041c1814a3a8e6bf\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ac916d5bcc11873\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.1.7600.16385_none_7c6cb11e92194c00\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_mdmaus.inf_31bf3856ad364e35_6.1.7600.16385_none_e18d21e7dddff28f\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..icesframework-msutb_31bf3856ad364e35_6.1.7601.17514_none_761702814e1ae8a6\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ltimateed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0593bc3c44f89478\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..rectinput.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09395f7bc9e271bb\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_fee1d678cfc147fb\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whoami.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb28c86f28d65ec7\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-msbuild_core_schema__v35_31bf3856ad364e35_6.1.7600.16385_none_7a4294a74548ee4c\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dataclen_31bf3856ad364e35_6.1.7600.16385_none_f67c8b94f4c94f5f\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-peertopeerdrt_31bf3856ad364e35_6.1.7600.16385_none_5932c4a3fc4e9ef4\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlanconnectionflow_31bf3856ad364e35_6.1.7600.16385_none_e629c73a8182aca5\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_wiabr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9393b068a45a5056\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..erver-adm.resources_31bf3856ad364e35_6.1.7601.17514_en-us_fa18d6953ed8537e\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_6.1.7600.16385_en-us_50c0df8c012149f5\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-directshow-core_31bf3856ad364e35_6.1.7601.17514_none_0eeae7a238e677c8\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\x86_netfx-vsa_codedom_tlb_b03f5f7f11d50a3a_6.1.7600.16385_none_f8297aaff0309fa4\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..consumers.resources_31bf3856ad364e35_7.2.7601.16406_en-us_77ecb9ee5f635efe\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_netfx-mscorpjt_dll_31bf3856ad364e35_6.1.7600.16385_none_d77af9a299d44999\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp6.jpg	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicereportingapi_31bf3856ad364e35_6.1.7600.16385_none_c895144f92ce0a2e\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-terminalservices-rdpdr_31bf3856ad364e35_6.1.7601.17514_none_5f60151d5fa6ce24\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7874673cb51944b8\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1148_31bf3856ad364e35_6.1.7600.16385_none_80b902312247f1ff\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_wcf-system.runtime.serialization_b03f5f7f11d50a3a_6.1.7601.17514_none_93efcca8c8dbf1bb\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_7.2.7601.16406_none_b9b179cff84db116\inline.xsd	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b1c511d8fad78ad3c5213b2b4fb02b8b\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.1.7600.16385_none_5053116fe7b53060\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\9a3936273fb6a2e93b67f53c605d69df\HOW TO DECRYPT FILES.txt	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1184 1244 WerFault.exe

pid	pid_target	process	target process
1184	1244	WerFault.exe

Modifies registry class 10 IoCs

Processes:

5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe"	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip\ = "OGPGKRTRABCQPJW"	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.btCry_zip	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\ = "CRYPTED!"	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6f6Um0t6lTX1txd.exe,0"	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OGPGKRTRABCQPJW\shell\open\command	5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1184 WerFault.exe
1184 WerFault.exe
1184 WerFault.exe
1184 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1184 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1184 WerFault.exe

pid	process
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe

pid	process
1184	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1184	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
"C:\Users\Admin\AppData\Local\Temp\5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1244 -s 3140
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1184

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-61-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1184-62-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads