Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
151s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
-
Size
4.8MB
-
MD5
568db4e58977f0795730755b16c80b07
-
SHA1
23231aea7dcc02eaab9c2f248bbd949d1770db8c
-
SHA256
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23
-
SHA512
a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted.
Don't panic, you can decrypt them, you just have to pay me for the ransom.
Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN
You can buy very easily from these sites:
www.localbitcoins.com
www.paxful.com
A list of several sites where you can buy bitcoin can be found here:
https://bitcoin.org/en/exchanges
Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
After sending, contact us at this email address: [email protected]
With this subject: ZUCANO03TUTA394821
After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails
Wallets
1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConfirmPop.raw => C:\Users\Admin\Pictures\ConfirmPop.raw.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\EditRedo.tif => C:\Users\Admin\Pictures\EditRedo.tif.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\InitializeApprove.tiff 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\InitializeApprove.tiff => C:\Users\Admin\Pictures\InitializeApprove.tiff.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\PopEnable.png => C:\Users\Admin\Pictures\PopEnable.png.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\ProtectStop.raw => C:\Users\Admin\Pictures\ProtectStop.raw.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\UnpublishAssert.tif => C:\Users\Admin\Pictures\UnpublishAssert.tif.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\Media\Heritage\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\stexstor.inf_amd64_neutral_80ee226e29362f51\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3100T.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\KYFS5030.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SVC400D6.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1303E3.PPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\dhcpcmonitor.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\mmcndmgr.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Telnet-client-dl.man 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\dhcpservermigplugin-rep.man 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\stickynotes-replacement.man 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-BusinessEdition-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot2\edb0046F.log 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\rpchttp.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJ2920.TBL 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpd2600t.gpd 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\LME220.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR8100D.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\ulib.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\it-IT\d2d1.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM3360C.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR9100.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR80006.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\license.rtf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\WinSATAPI.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~en-US~7.2.7601.16406.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt003.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\prnlx007.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\SML347.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\cewmdm.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.gpd 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-SoundThemes-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1G.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA5.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFCS4045.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\forfiles.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\icardres.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00e.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\Amd64\LEXC762.PPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\hdwwiz.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\IME\IMETC10\applets\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\pl-PL\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\ru-RU\d2d1.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_123_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\SODPP2.INI 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SVC27D.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\cscobj.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\mshta.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\WinSyncProviders.rll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\wlanutil.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18246_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15172_.GIF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\Windows NT\Accessories\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\Java\jdk1.7.0_80\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANE.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00190_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18245_.WMF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Panther\UnattendGC\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-14.htm 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\PeerToPeerAdmin-DL.man 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\diagnostics\index\PrinterDiagnostic.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_742267d524200863\iisext.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Windows User Account Control.wav 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..utilities.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e175491a0d5578af\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..otmailapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0133233f627b01e9\hmmapi.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_11.2.9600.16428_en-us_5dfdcb89ba2b945a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_cxraptor_philipstuv1236d_ibv64.inf_31bf3856ad364e35_6.1.7600.16385_none_a8ba31d06eb5b68e\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-aerodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_4734ae48c8e465f5\TS_ColorTheme.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Fonts\kartika.ttf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lcphrase-tbl_31bf3856ad364e35_6.1.7600.16385_none_308365e956246926\lcptr.tbl 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Fonts\courer.fon 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Pipes\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Editions\HomeBasicEdition.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7600.16385_none_39dd2292c22c1d9e\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9a3ab1594cf5cd52f0794b0a93a14b57\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Fonts\mangalb.ttf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28603_31bf3856ad364e35_6.1.7600.16385_none_ad7fd8db004f866a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Cursors\up_rl.cur 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~en-US~7.2.7601.16406.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..meworkapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad25441eee9df4f2\ndfapi.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..-gameratingssystems_31bf3856ad364e35_6.1.7600.16385_none_85da16bf080ec561\pegi-pt.rs 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e1a68d2a01e132ebc60a5565a771902b\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac2f25e3d4ed4318\appcmd.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d338fff708cfb6b1\mycomput.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dns-clientextension_31bf3856ad364e35_6.1.7600.16385_none_cc3ad957479ac337\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_6.1.7600.16385_none_e5e3f53c23550761\RS_UserWERQueue.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_dot4.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_836ad24e2754808b\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_ipmidrv.inf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a6391f1ad23afcc3\IPMIDrv.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..emutilityfatlibrary_31bf3856ad364e35_6.1.7600.16385_none_aa56df3c7375ad12\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\System.Web.Extensions.ni.dll.aux 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\inf\UGatherer\0409\gsrvctr.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlPersistenceProviderLogic.sql 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ThirdPartyNotices.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_6.1.7601.17514_none_10549c4b57020e7c\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\button-highlight.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..style-layeredtitles_31bf3856ad364e35_6.1.7600.16385_none_4ad2978b8b3ac8b2\NavigationLeft_SelectionSubpicture.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Foreach.help.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\000E\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a102031c07b6ad1d\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\diagnostics\system\PCW\VF_ProgramCompatibilityWizard.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\IME\IMEJP10\DICTS\IMJPSB.DIC 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_359174e350f0ded0\comctl32.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-mangal_31bf3856ad364e35_6.1.7601.17514_none_125c068ced09fd34\mangalb.ttf 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_h.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..nt-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e95b2b269173677c\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac-oledb-rll_31bf3856ad364e35_6.1.7600.16385_none_54550e6612edb791\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Rules.System.Memory.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_6.1.7601.17514_none_515e96306dea528f\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Contracts\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\winsxs\amd64_mdmhay2.inf_31bf3856ad364e35_6.1.7600.16385_none_13ebd70762da3f5e\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:784