Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
-
Size
4.8MB
-
MD5
568db4e58977f0795730755b16c80b07
-
SHA1
23231aea7dcc02eaab9c2f248bbd949d1770db8c
-
SHA256
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23
-
SHA512
a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted.
Don't panic, you can decrypt them, you just have to pay me for the ransom.
Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN
You can buy very easily from these sites:
www.localbitcoins.com
www.paxful.com
A list of several sites where you can buy bitcoin can be found here:
https://bitcoin.org/en/exchanges
Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
After sending, contact us at this email address: [email protected]
With this subject: ZUCANO03TUTA394821
After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails
Wallets
1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
Signatures
-
Drops file in Drivers directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\InitializeFormat.tiff 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File renamed C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Videos\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Media\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Documents\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Fonts\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Public\Music\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_0fb1780243709a71\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilter-Merged-base-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_d05c1c54ae75d39c\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\qca9377_2_0.bin 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG4100\CNC1753D.TBL 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\hu-HU\msimsg.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Maps-onecoreuap-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\wdma_bt.inf_amd64_4b782efaabec37d0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\cdosys.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\Storprop.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\ucmhc.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-AllowTelemetry-Reduced-Default-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CoreSystem-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceRuntime-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\devenum.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\fi-FI\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VHD-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\unlodctr.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\wusa.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\he-IL\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-mergedcomponents~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-MSF-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_816105034cd8ed06\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataV4Adapter.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package-redist-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\de-DE\windows.ui.xaml.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf4a-manifest.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\pl-PL\comdlg32.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl4.inf_amd64_51802a081cf64b2b\xrTxtResCL0.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\drvcfg.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\register-cimprovider.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Group-minkernel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_8d2331ef1f1a08cd\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\MXDW-pipelineconfig.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6OFc0.GPD 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX330\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9OPIPELINECONFIG.XML 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-GB\comdlg32.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\NcdProp.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\tr-TR\quickassist.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnokcl1.inf_amd64_d54b831cc2bc714b\OKESCP24-manifest.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\CNQ9602\CNQ1908D.TBL 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\runonce.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-base-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prncacl2.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Windows.Media.Speech.UXRes.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_924b5a11fc6fb755\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\AuditNativeSnapIn.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\SysWOW64\en-US\verifiergui.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_9b02583544c39f62\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\et-EE\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_cardback.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ly_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\Office.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200_contrast-white.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\SmallTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-24_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nl_16x11.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-400.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_24x24x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea22.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\ResPacks\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Windows NT\TableTextService\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\debug\sammui.log 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Tips_2.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Help\Windows\IndexStore\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\schemas\EAPMethods\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Boot\PCAT\hr-HR\bootmgr.exe.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\diagnostics\system\Networking\UtilitySetConstants.ps1 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tick.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hn_60x42.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Cursors\wait_m.cur 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nf_16x11.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-NFC-SEManagement-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_24x24x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-150_contrast-black.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\DefaultWindows_Audit.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-drivers~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-UsbHost-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-RemoteDesktopServices-Collaboration-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Resources\Fonts\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-GamingPeripherals-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Boot\PCAT\en-US\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Apps.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_5.jpg 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\Boot\EFI\fr-FR\bootmgr.efi.mui 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\send.white.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_diamond.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_ReptileEye.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-MobileCore-ClassExtensions-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\LargeTile.scale-100.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-24.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon_3.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe File created C:\Windows\Boot\PCAT\en-GB\HOW TO DECRYPT FILES.txt 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF" 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF 155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3920