Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
General
-
Target
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
-
Size
4MB
-
MD5
568db4e58977f0795730755b16c80b07
-
SHA1
23231aea7dcc02eaab9c2f248bbd949d1770db8c
-
SHA256
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23
-
SHA512
a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88
Score
10/10
Malware Config
Extracted
| Path |
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt |
| Ransom Note | Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files. |
| Emails |
zucano@tuta.io |
| Wallets |
1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd |
Signatures
-
Drops file in Drivers directory ⋅ 7 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies extensions of user files ⋅ 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\InitializeFormat.tiff 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops startup file ⋅ 2 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application ⋅ 2 TTPs 2 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops desktop.ini file(s) ⋅ 64 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Videos\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Documents\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Fonts\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in System32 directory ⋅ 64 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_0fb1780243709a71\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilter-Merged-base-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_d05c1c54ae75d39c\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\qca9377_2_0.bin 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG4100\CNC1753D.TBL 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\hu-HU\msimsg.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Maps-onecoreuap-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\wdma_bt.inf_amd64_4b782efaabec37d0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\cdosys.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\Storprop.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\ucmhc.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-AllowTelemetry-Reduced-Default-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CoreSystem-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceRuntime-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\devenum.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\fi-FI\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VHD-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\unlodctr.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\wusa.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\he-IL\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-mergedcomponents~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-MSF-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_816105034cd8ed06\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataV4Adapter.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package-redist-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\de-DE\windows.ui.xaml.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf4a-manifest.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\pl-PL\comdlg32.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl4.inf_amd64_51802a081cf64b2b\xrTxtResCL0.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\drvcfg.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\register-cimprovider.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Group-minkernel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_8d2331ef1f1a08cd\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\MXDW-pipelineconfig.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6OFc0.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX330\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9OPIPELINECONFIG.XML 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-GB\comdlg32.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\NcdProp.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\tr-TR\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnokcl1.inf_amd64_d54b831cc2bc714b\OKESCP24-manifest.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\CNQ9602\CNQ1908D.TBL 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\runonce.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-base-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prncacl2.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Windows.Media.Speech.UXRes.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_924b5a11fc6fb755\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\AuditNativeSnapIn.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\verifiergui.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_9b02583544c39f62\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\et-EE\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Program Files directory ⋅ 64 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_cardback.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ly_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\Office.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200_contrast-white.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\SmallTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-24_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nl_16x11.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-400.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_24x24x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea22.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\ResPacks\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Windows NT\TableTextService\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Windows directory ⋅ 64 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\debug\sammui.log 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Tips_2.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Help\Windows\IndexStore\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\schemas\EAPMethods\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Boot\PCAT\hr-HR\bootmgr.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\diagnostics\system\Networking\UtilitySetConstants.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tick.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hn_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Cursors\wait_m.cur 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nf_16x11.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-NFC-SEManagement-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_24x24x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-150_contrast-black.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\DefaultWindows_Audit.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-drivers~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-UsbHost-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-RemoteDesktopServices-Collaboration-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Resources\Fonts\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-GamingPeripherals-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Boot\PCAT\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Apps.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_5.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Boot\EFI\fr-FR\bootmgr.efi.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\send.white.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_diamond.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_ReptileEye.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-MobileCore-ClassExtensions-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\LargeTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-24.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon_3.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Boot\PCAT\en-GB\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies registry class ⋅ 10 IoCs
Processes:
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exePID:3920"C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"Drops file in Drivers directoryModifies extensions of user filesDrops startup fileAdds Run key to start applicationDrops desktop.ini file(s)Drops file in System32 directoryDrops file in Program Files directoryDrops file in Windows directoryModifies registry class
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.iniMD5
ae826693a0ca88e37b7052d458249fe1
SHA17929f30c5e5dd96292be1c13e93cf838f47e4dcc
SHA256e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661
SHA5127133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df
Loading data