6059871321227264.zip

General
Target

8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

Filesize

208KB

Completed

01-07-2021 04:41

Score
10/10
MD5

7ee92bcaa1305c7964a993e7f1c3761c

SHA1

6351e156b5fe1d3ae91fec6eb367782b1373111c

SHA256

8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

Malware Config

Extracted

Path C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt
Ransom Note
Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io
Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd
Signatures 10

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Drops file in Drivers directory
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\drivers\gmreadme.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Modifies extensions of user files
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\AddSplit.raw => C:\Users\Admin\Pictures\AddSplit.raw.ZuCaNo8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File renamedC:\Users\Admin\Pictures\GrantDisable.raw => C:\Users\Admin\Pictures\GrantDisable.raw.ZuCaNo8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Drops startup file
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe"8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Drops desktop.ini file(s)
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Pictures\Camera Roll\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Fonts\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Public\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Media\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Desktop\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Music\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Videos\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Public\AccountPictures\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Saved Games\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Public\Music\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Downloaded Program Files\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Offline Web Pages\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Links\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\OneDrive\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Public\Desktop\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Favorites\Links\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Pictures\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\Pictures\Saved Pictures\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Public\Downloads\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Drops file in System32 directory
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9QPIPELINECONFIG.XML8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\Windows.ApplicationModel.Store.TestingFramework.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\Dism\en-US\AssocProvider.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_0e1cf7c50ca4ffaa\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\btampm.inf_amd64_bd21f2b33aceffe9\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\mmc.exe.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-Package-windows~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\SysWOW64\IME\IMEJP\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_1f05b455f54ba22c\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\iashlpr.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP550\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\html.iec.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\IdListen.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\perfdisk.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Miracast-Transmitter-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-onecoreuap-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_ae5b829575ed1ac2\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0350.GPD8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2PipelineConfig.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX890\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-DynamicMemory-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-APPXDeployment-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0303-MANIFEST.INI8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP640\CNC173FD.TBL8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\StorageContextHandler.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Media-FaceAnalysis-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\eeprom_ar6320_3p0_NFA324i_5_SS_V.bin8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacl2.inf_amd64_d0fd8eb0443cec17\CNN08CL2B.gpd8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG2200\CNC1760D.TBL8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\ngckeyenum.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\es-MX\Windows.Media.Speech.UXRes.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\drt.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\label.exe.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-termsrv~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-pcshell-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\Windows.Graphics.Printing.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Runtime-Metadata-Desktop-WOW64-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_dfa88256ff14b341\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXGS1.GPD8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\c_fscopyprotection.inf_amd64_2b64e37c5bacf1e2\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBME0A_300-PipelineConfig.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_0390-MANIFEST.INI8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\Dism\en-US\FolderProvider.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c0d1cad06a0a598a\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_e6e84dc8b3a2a824\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\SysWOW64\Speech\Engines\SR\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-Chipset-vm-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Group-termsrv-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\Dism\en-US\CbsProvider.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WaaSAssessment-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\c_fsphysicalquotamgmt.inf_amd64_882ae96545fa6458\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\sort.exe.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\remotepg.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Skype-ORTC-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\glu32.dll.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\SysWOW64\en-US\sysmon.ocx.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Drops file in Program Files directory
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\LargeLogo.scale-125.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-140.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\ConfirmClose.emf8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeSpider.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectWideTile.scale-100.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-over.mobile.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-150.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_13c.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ScoreTrophy.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\197.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-200.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bb_16x11.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-64_contrast-white.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mx_60x42.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps18a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\StreamMap.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ss_60x42.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\papyrus.jpg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\RadialControl\Rotate_E7AD_Normal_White_64x64.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\lij.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@3x.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Program Files\Internet Explorer\SIGNUP\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Drops file in Windows directory
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\ImmersiveControlPanel\images\splashscreen.scale-125.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\rescache\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-400.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-125.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\privacy_policy.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-150.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_11d.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-VisualElementDataModel-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-pcshell~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2875_24x24x32.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_32x32x32.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-32.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go_for_the_Silver_Unearned_small.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-150.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Media\Windows Hardware Insert.wav8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Fonts\c8514fix.fon8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\xboxservices.config8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\OptInPopup\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\as_60x42.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-Multimedia-MF-avcore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Fonts\courer.fon8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\83e220cceaab3e2595510ccaeb5f01c1\System.Configuration.Install.ni.dll.aux8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-125.jpg8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\75913bbaf1bee617a94dcd6b5df12a5d\System.Core.ni.dll.aux8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-white_scale-400.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-OneCore-Indexer-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\c9bdcf9e45459b60e542e8f270de0c52\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Microsoft-Windows-NCB-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Fonts\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_72x72x32.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-100.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\Connectivity-CustomDeviceAccess-onecoreuap-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\Boot\EFI\et-EE\bootmgfw.efi.mui8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-96.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-150.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\MiracastView\Assets\tilesmall.contrast-black_scale-80.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\servicing\Packages\HyperV-Guest-VmBus-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File createdC:\Windows\Globalization\Sorting\HOW TO DECRYPT FILES.txt8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    File opened for modificationC:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\MedTile.scale-200.png8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
  • Modifies registry class
    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo\ = "ESDKZKDTQDWHAGF"8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe,0"8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yd0N5k3r1TF75n3.exe"8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.ZuCaNo8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\ = "CRYPTED!"8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\ESDKZKDTQDWHAGF\shell\open8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    "C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Drops startup file
    Adds Run key to start application
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    PID:1404
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads

                  • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini

                    MD5

                    ae826693a0ca88e37b7052d458249fe1

                    SHA1

                    7929f30c5e5dd96292be1c13e93cf838f47e4dcc

                    SHA256

                    e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661

                    SHA512

                    7133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df

                    Download Submit