Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 23:26
Behavioral task
behavioral1
Sample
X.exe
Resource
win7-20220901-en
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
X.exe
Resource
win10v2004-20220812-en
9 signatures
150 seconds
General
-
Target
X.exe
-
Size
39KB
-
MD5
9a93a9d1477f55a4dfd90693c0c63d3c
-
SHA1
e59ef4b2e15307e64469b0a0c31d29bb88b3cd68
-
SHA256
990fb8e947d55d00381f5858ff19d266b766f284252abd1caf85045a4b947b4e
-
SHA512
fe0843cf358bd6e85bd9317826a3c35591902c3e3d98eb04675f4145525a003921f09018afa7cbf518bcc8c3fbc18b5c3585cc10cd7d58fdf895073579b00c09
-
SSDEEP
384:2ebFNw4Pk1itKkpAjj5r0XqYvjSXkDCgSikU8T7XtBbDv1Lo:20FmBkpKjTY73DChDjbDa
Score
10/10
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2520-132-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist behavioral2/memory/2520-133-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Processes:
resource yara_rule behavioral2/memory/2520-132-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/2520-133-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
X.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt X.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
X.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.exe -
Drops file in Program Files directory 64 IoCs
Processes:
X.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-400.png X.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-125.png X.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\StopReproTraceIcon-glyph-e916.png X.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-black.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16_altform-unplated.png X.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-125.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-400.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png X.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png X.exe File created C:\Program Files\Java\jre1.8.0_66\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-400.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-300.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-40.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-100.png X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-high.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlMiddleCircleHover.png X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\empty.png X.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png X.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100.png X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-150.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-100.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_contrast-black.png X.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-200.png X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-250.png X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.png X.exe -
Drops file in Windows directory 64 IoCs
Processes:
X.exedescription ioc process File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools\v4.0_10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Resources\3.0.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.Resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\bfdaea28d1c61b8d6ebb102bbf468c49\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\CustomMarshalers.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Workflow.ComponentModel.Resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\38720ac5ef14845a9be0c2386ce0436f\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\it-IT\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\INF\BITS\0000\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\Media\Windows Feed Discovered.wav X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\v4.0_2.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Boot\PCAT\en-GB\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\Media\Windows Notify Email.wav X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design\3.5.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\diagnostics\system\Apps\fr-FR\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\v4.0_2.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources\3.5.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\ja-JP\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white.png X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\Media\Speech Off.wav X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit.resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Configuration.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\diagnostics\system\Keyboard\en-US\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\c4e350255dfdcb7457109e297b572b31\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.EnterpriseServices.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_ja_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\1caf21ddd9d36b549ff0ac875be2b8b4\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\napinit\1aadf48268feebf254c480273caa6ff0\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-100.png X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtc259d85b#\dc7f8f85008d65427e8e7bdea3086027\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\diagnostics\system\Bluetooth\en-US\HOW TO DECRYPT FILES.txt X.exe -
Modifies registry class 10 IoCs
Processes:
X.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" X.exe