6059871321227264.zip

General
Target

155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

Filesize

4MB

Completed

01-07-2021 04:41

Score
10/10
MD5

568db4e58977f0795730755b16c80b07

SHA1

23231aea7dcc02eaab9c2f248bbd949d1770db8c

SHA256

155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

Malware Config

Extracted

Path C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io
Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
Signatures 10

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Drops file in Drivers directory
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\gmreadme.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Modifies extensions of user files
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.ZuCaNo155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Pictures\InitializeFormat.tiff155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File renamedC:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.ZuCaNo155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File renamedC:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.ZuCaNo155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Drops startup file
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe"155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Drops desktop.ini file(s)
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Favorites\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\OneDrive\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Searches\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Videos\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Videos\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Pictures\Camera Roll\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Pictures\Saved Pictures\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Media\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Offline Web Pages\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Pictures\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Desktop\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Documents\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Documents\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Saved Games\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Downloads\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Music\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Pictures\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Fonts\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Public\Music\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Drops file in System32 directory
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_0fb1780243709a71\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilter-Merged-base-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_d05c1c54ae75d39c\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\qca9377_2_0.bin155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG4100\CNC1753D.TBL155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\hu-HU\msimsg.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Maps-onecoreuap-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\wdma_bt.inf_amd64_4b782efaabec37d0\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\cdosys.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\Storprop.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\ucmhc.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-AllowTelemetry-Reduced-Default-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CoreSystem-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceRuntime-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\devenum.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\fi-FI\quickassist.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\SysWOW64\WindowsPowerShell\v1.0\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VHD-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\unlodctr.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\wusa.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\he-IL\quickassist.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-mergedcomponents~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-MSF-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_816105034cd8ed06\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataV4Adapter.ps1155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package-redist-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\de-DE\windows.ui.xaml.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf4a-manifest.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\pl-PL\comdlg32.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnxxcl4.inf_amd64_51802a081cf64b2b\xrTxtResCL0.GPD155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\drvcfg.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\register-cimprovider.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Group-minkernel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_8d2331ef1f1a08cd\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\MXDW-pipelineconfig.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6OFc0.GPD155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX330\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9OPIPELINECONFIG.XML155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-GB\comdlg32.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\NcdProp.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\tr-TR\quickassist.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnokcl1.inf_amd64_d54b831cc2bc714b\OKESCP24-manifest.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\CNQ9602\CNQ1908D.TBL155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\runonce.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-base-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prncacl2.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\ja-JP\Windows.Media.Speech.UXRes.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_924b5a11fc6fb755\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\AuditNativeSnapIn.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\verifiergui.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_9b02583544c39f62\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\SysWOW64\et-EE\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Drops file in Program Files directory
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_cardback.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\326_32x32x32.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-200.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ly_60x42.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40_altform-unplated.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\Office.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-200_contrast-white.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\js\common.js155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\SmallTile.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-24_altform-unplated.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nl_16x11.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files\Common Files\microsoft shared\ink\hr-HR\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-400.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-200.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_24x24x32.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea22.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\ResPacks\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Windows NT\TableTextService\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Drops file in Windows directory
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_32x32x32.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\surfaceHub\en-US\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\debug\sammui.log155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Tips_2.jpg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\Help\Windows\IndexStore\en-US\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\schemas\EAPMethods\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Boot\PCAT\hr-HR\bootmgr.exe.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\diagnostics\system\Networking\UtilitySetConstants.ps1155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Tick.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hn_60x42.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Cursors\wait_m.cur155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nf_16x11.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-NFC-SEManagement-onecore-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_24x24x32.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-150_contrast-black.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\DefaultWindows_Audit.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-drivers~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-UsbHost-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-RemoteDesktopServices-Collaboration-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Resources\Fonts\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-Connectivity-GamingPeripherals-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\Boot\PCAT\en-US\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ImmersiveControlPanel\images\wide.Apps.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_5.jpg155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\Boot\EFI\fr-FR\bootmgr.efi.mui155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\send.white.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_diamond.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_ReptileEye.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-MobileCore-ClassExtensions-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\LargeTile.scale-100.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-24.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon_3.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    File createdC:\Windows\Boot\PCAT\en-GB\HOW TO DECRYPT FILES.txt155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
  • Modifies registry class
    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0"155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe"155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!"155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF"155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    "C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Drops startup file
    Adds Run key to start application
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    PID:3920
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads

                  • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini

                    MD5

                    ae826693a0ca88e37b7052d458249fe1

                    SHA1

                    7929f30c5e5dd96292be1c13e93cf838f47e4dcc

                    SHA256

                    e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661

                    SHA512

                    7133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df

                    Download Submit