Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
-
Size
208KB
-
MD5
7ee92bcaa1305c7964a993e7f1c3761c
-
SHA1
6351e156b5fe1d3ae91fec6eb367782b1373111c
-
SHA256
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97
-
SHA512
3b5114e9b3e53ac7711df9fa5ad3dc66ce309ade04768cd334f1e1f1b311a9c36f43e6cf167d338e94116ee08dc686c0a000064a40bb2913e1e8b6b8b143c387
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted.
Don't panic, you can decrypt them, you just have to pay me for the ransom.
Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN
You can buy very easily from these sites:
www.localbitcoins.com
www.paxful.com
A list of several sites where you can buy bitcoin can be found here:
https://bitcoin.org/en/exchanges
Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
After sending, contact us at this email address: zucano@tuta.io
With this subject: ZUCANO03TUTA394821
After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails
zucano@tuta.io
Wallets
1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
Signatures
-
Drops file in Drivers directory 7 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddSplit.raw => C:\Users\Admin\Pictures\AddSplit.raw.ZuCaNo 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File renamed C:\Users\Admin\Pictures\GrantDisable.raw => C:\Users\Admin\Pictures\GrantDisable.raw.ZuCaNo 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Drops startup file 2 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Fonts\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Public\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Media\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Music\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Public\Music\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Links\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Drops file in System32 directory 64 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9QPIPELINECONFIG.XML 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\Windows.ApplicationModel.Store.TestingFramework.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\Dism\en-US\AssocProvider.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_0e1cf7c50ca4ffaa\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\btampm.inf_amd64_bd21f2b33aceffe9\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\mmc.exe.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-Package-windows~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\SysWOW64\IME\IMEJP\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_1f05b455f54ba22c\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\iashlpr.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP550\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\html.iec.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\IdListen.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\perfdisk.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Miracast-Transmitter-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-onecoreuap-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_ae5b829575ed1ac2\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0350.GPD 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2PipelineConfig.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX890\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-DynamicMemory-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-APPXDeployment-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0303-MANIFEST.INI 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP640\CNC173FD.TBL 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\StorageContextHandler.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Media-FaceAnalysis-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\eeprom_ar6320_3p0_NFA324i_5_SS_V.bin 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacl2.inf_amd64_d0fd8eb0443cec17\CNN08CL2B.gpd 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG2200\CNC1760D.TBL 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\ngckeyenum.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\es-MX\Windows.Media.Speech.UXRes.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\drt.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\label.exe.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-termsrv~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-pcshell-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\Windows.Graphics.Printing.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Runtime-Metadata-Desktop-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_dfa88256ff14b341\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXGS1.GPD 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fscopyprotection.inf_amd64_2b64e37c5bacf1e2\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBME0A_300-PipelineConfig.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0390-MANIFEST.INI 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\Dism\en-US\FolderProvider.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c0d1cad06a0a598a\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_e6e84dc8b3a2a824\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-Chipset-vm-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Group-termsrv-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\Dism\en-US\CbsProvider.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WaaSAssessment-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsphysicalquotamgmt.inf_amd64_882ae96545fa6458\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\sort.exe.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\remotepg.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Skype-ORTC-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\glu32.dll.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\SysWOW64\en-US\sysmon.ocx.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Drops file in Program Files directory 64 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\LargeLogo.scale-125.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-140.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\ConfirmClose.emf 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeSpider.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectWideTile.scale-100.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-over.mobile.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-150.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_13c.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ScoreTrophy.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-200.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bb_16x11.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mx_60x42.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\StreamMap.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ss_60x42.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\papyrus.jpg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\Rotate_E7AD_Normal_White_64x64.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@3x.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Program Files\Internet Explorer\SIGNUP\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Drops file in Windows directory 64 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.scale-125.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\rescache\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-400.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-125.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\privacy_policy.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-150.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_11d.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-VisualElementDataModel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-pcshell~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2875_24x24x32.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_32x32x32.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-32.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go_for_the_Silver_Unearned_small.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-150.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Media\Windows Hardware Insert.wav 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Fonts\c8514fix.fon 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\xboxservices.config 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\OptInPopup\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\as_60x42.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Multimedia-MF-avcore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Fonts\courer.fon 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\83e220cceaab3e2595510ccaeb5f01c1\System.Configuration.Install.ni.dll.aux 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-125.jpg 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\75913bbaf1bee617a94dcd6b5df12a5d\System.Core.ni.dll.aux 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-white_scale-400.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Indexer-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\c9bdcf9e45459b60e542e8f270de0c52\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NCB-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Fonts\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_72x72x32.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-100.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\Connectivity-CustomDeviceAccess-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\Boot\EFI\et-EE\bootmgfw.efi.mui 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-96.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-150.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\MiracastView\Assets\tilesmall.contrast-black_scale-80.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Guest-VmBus-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File created C:\Windows\Globalization\Sorting\HOW TO DECRYPT FILES.txt 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\MedTile.scale-200.png 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe -
Modifies registry class 10 IoCs
Processes:
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF" 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0" 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe" 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!" 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open 8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe"C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.iniMD5
ae826693a0ca88e37b7052d458249fe1
SHA17929f30c5e5dd96292be1c13e93cf838f47e4dcc
SHA256e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661
SHA5127133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df