Analysis Overview
SHA256
b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979
Threat Level: Known bad
The file b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979 was found to be: Known bad.
Malicious Activity Summary
Detected Xorist Ransomware
Xorist Ransomware
Chaos
Chaos Ransomware
Modifies boot configuration data using bcdedit
Deletes shadow copies
Deletes backup catalog
Executes dropped EXE
Modifies extensions of user files
Drops file in Drivers directory
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Checks computer location settings
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 15:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 15:20
Reported
2022-11-01 15:22
Platform
win7-20220901-en
Max time kernel
109s
Max time network
48s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist Ransomware
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???????????? ?????.txt???????????? ?????.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\com\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setupdir\000b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\MUI\0407\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_ISE.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_neutral_c150a510c4b85ce7\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SearchProtocolHost.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\he-IL\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sfc.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WCN\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr\0411\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cmmon32.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\about_BITS_Cmdlets.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PING.EXE | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Robocopy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_neutral_e567adb271831b5d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_requirements.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_job_details.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\com\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\de\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cojkx2bm0.jpg" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgkoacfhkmobdgil.bmp" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\Ole DB\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\si.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\ext\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\images\cursors\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ta.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ba.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Help\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\x86_microsoft-windows-mapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ccd449383e84c7b6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-netplwiz-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fdbc420d767a65e5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_04ef2896fc362397\bg_sidebar.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a0e46b641d0379\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0fcbd53df82fc1c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-removablestorage-adm_31bf3856ad364e35_6.1.7600.16385_none_e338abd12c63dcf0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-smbserver-netapi_31bf3856ad364e35_6.1.7601.17514_none_9ecc78ac672b15fc\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx35wpf-microsoft_winfx_targets_31bf3856ad364e35_6.1.7600.16385_none_f1ec14daf9881833\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_nvraid.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b6dd851e1a7a5c0a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_0a3fe92b38dd8c45\RegisterIEPKEYs.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a164febaa701b3c2\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2fc20d555b85e7a6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrmEngine.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-dot3svc-mof_31bf3856ad364e35_6.1.7601.17514_none_fed5505597978279\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-mfc40.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a5ce5327d7b65f5a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_d4259ed3b16ed82a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..alization.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3af76a53e79592a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b87e3eafadb992f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..tcard-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_157cb486e2919499\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c67636df827f190\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_MCELogo_mouseout.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mail-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_852f814c8eaeca66\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_755f24abe639fb46\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_fi-fi_f70334504d66c1b8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Boot\PCAT\hu-HU\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-a..premiumed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_092ae311c7da63a9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-iis-wmicompatibility_31bf3856ad364e35_6.1.7600.16385_none_51f754e7e6dc79fe\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb806fad92a5e1bd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_ql40xx2.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f6633d985781b5f0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\msil_system.workflow.runtime_31bf3856ad364e35_6.1.7601.17514_none_da2690491d9ef8ed\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmnis3t.inf_31bf3856ad364e35_6.1.7600.16385_none_1a28a36619b5178f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_29d12cdb138d0965\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f36e4f388e096ead\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..-ehepgres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_613a560cdeeb69b6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-7.htm | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx-system.management_b03f5f7f11d50a3a_6.1.7601.17514_none_f6397b438cd5e46b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-d..g-adminui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b7f7d1d2c65e2504\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_it-it_970c208e9f8f3615\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WMI_Cmdlets.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx35linq-system...del.dataannotations_31bf3856ad364e35_6.1.7601.17514_none_14c03c6a5757b547\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..repairbde.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_79b8c8362b698dd6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_profiles.help.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fc92234d1c61b08a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ce17f80cc8e9b4a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fafddf5efddc7d12\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-b..smcnative.resources_31bf3856ad364e35_6.1.7600.16385_es-es_90f99d9fd7261bad\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wsdapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ce3ddc5c903d7f36\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\Media\Raga\Windows Hardware Fail.wav | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-d..-resolver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b295c87a0acc57b9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-wmi-ping-provider_31bf3856ad364e35_6.1.7600.16385_none_a77af0ebe7f8a1cb\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_59db672b5c128b4b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010401_31bf3856ad364e35_6.1.7600.16385_none_e65559fb7079dd6a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000440_31bf3856ad364e35_6.1.7600.16385_none_4d19ddf6b292e429\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad18f93fc713db2c4b29b25116c13bd8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c56dd7fc3e6288e3\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-sctasks.resources_31bf3856ad364e35_6.1.7600.16385_de-de_79fda6febb58c843\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_eb88050a81e35fb5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6e8c38d9c1cd5cd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a644046f764477ee\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\inf\ServiceModelOperation 3.0.0.0\0C0A\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn\ = "ZRMHJJVQXVFBFMX" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe,0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\ = "CRYPTED!" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
"C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
Network
Files
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/2036-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/2036-62-0x0000000001170000-0x000000000119A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/1064-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/1064-66-0x0000000000AA0000-0x0000000000ACA000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
memory/560-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
memory/980-75-0x0000000000000000-mapping.dmp
memory/1800-76-0x0000000000000000-mapping.dmp
memory/1948-77-0x0000000000000000-mapping.dmp
memory/1752-78-0x0000000000000000-mapping.dmp
memory/1904-79-0x0000000000000000-mapping.dmp
memory/940-80-0x0000000000000000-mapping.dmp
memory/1940-81-0x0000000000000000-mapping.dmp
memory/1916-82-0x0000000000000000-mapping.dmp
memory/1916-83-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
memory/1132-84-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
| MD5 | 2257eeabd7acd4f3fce17525c2ba93e3 |
| SHA1 | 8807bb45e47534f928a08f20520b97eaea254fff |
| SHA256 | b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117 |
| SHA512 | 4f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe.huis_bn
| MD5 | 98dff88098831ace45f0b21d27cfcdcf |
| SHA1 | c4f6736a7966280592c77345d0f2b2d4ff0cf3fe |
| SHA256 | 2f96e2ed6569d0b94ca86181cd51e4f5505a5e54e02a6662adea60d2a6b87d7b |
| SHA512 | 823183b8b4b76b46b76e08871b3823006eca74f7b54377f22fc5fa954eab53007869b2804282e913ac30872ffc8d7e78207623e4831030dd6608ab9399b0b0e7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOW TO DECRYPT FILES.txt
| MD5 | 6157e19d642c3e0d5fd57b3705c40dbc |
| SHA1 | f00d9d256216460aeef54ce40aad64082a231097 |
| SHA256 | 7c811eb04128fd2a13d5746dcc15494e2593e635b64e474ad40a63ee3524bbf8 |
| SHA512 | e3ab76dd999232c0c02ab8de2b2eb9334b347d0734a34ddb075c9a7d28459a6dd0b6f1099892bbed0bd57d6e758540dafcf67f96e833dfa17006d3b001e15772 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-01 15:20
Reported
2022-11-01 15:22
Platform
win10v2004-20220812-en
Max time kernel
112s
Max time network
148s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist Ransomware
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\PushWait.png => C:\Users\Admin\Pictures\PushWait.png.huis_bn | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartRestore.png => C:\Users\Admin\Pictures\StartRestore.png.huis_bn | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SwitchConfirm.png => C:\Users\Admin\Pictures\SwitchConfirm.png.huis_bn | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???????????? ?????.txt???????????? ?????.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_computer.inf_amd64_aa72c8894a821b32\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_9a7f42b85c7def50\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ndadmin.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_32023cb966fd5c8c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\esentutl.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\srdelayed.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_fssystemrecovery.inf_amd64_aa57df1ffa9aace0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_legacydriver.inf_amd64_c07aa9c633b5271e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\oobe\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_efffb8c026d3abc5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_ec8de8952888a618\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\InfDefaultInstall.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdrleakdiag.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Utilman.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\en\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_6550f790ed88c7ba\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_7f84203a67c210e4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\MUI\0410\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\chkdsk.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\Dism\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_f496147578cad554\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\ja\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\isoburn.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\migration\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\colorcpl.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\DiagSvcs\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_smartcardfilter.inf_amd64_3573afe136371e51\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\itsas35i.inf_amd64_4f5850c71046b0cb\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wiaacmgr.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RMActivate_isv.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\secinit.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\tr-TR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setupdir\0021\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SysWOW64\migration\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cscript.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\spaceport.inf_amd64_6383331cfa0a32be\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a9odwg20k.jpg" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-300.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..voicecommon-onecore_31bf3856ad364e35_10.0.19041.746_none_133ac2bb3e537369\r\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ncsi_31bf3856ad364e35_10.0.19041.1_none_6293b716b8418fce\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\r\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\r\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.19041.1_none_c2bbf8598318544b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_57eee7dc08744253\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\LearnMore.html | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.19041.964_none_518ed510d35bb200\f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-opengl.resources_31bf3856ad364e35_10.0.19041.1_en-us_55388e90743776b9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ehstor-api.resources_31bf3856ad364e35_10.0.19041.1_en-us_34a4e14d6fcd6f24\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-idctrls.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ff0e6489b51528a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser.resources_31bf3856ad364e35_11.0.19041.1_de-de_fca2f50c3f3d9a68\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i...appxmain.resources_31bf3856ad364e35_10.0.19041.1_en-us_945751259cc61d3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..ernelmode.resources_31bf3856ad364e35_10.0.19041.1_de-de_9b38e0b35785b52d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000040d_31bf3856ad364e35_10.0.19041.1_none_b3d11ff8f50b26ea\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ipconfig.resources_31bf3856ad364e35_10.0.19041.1_es-es_7d9999539d3d6ad4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..m-initmachineconfig_31bf3856ad364e35_10.0.19041.868_none_b471f94f5b1036ba\n\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-g..k-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_332fba2f89dd2e37\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..ementwmi-powershell_31bf3856ad364e35_10.0.19041.1_none_9f3afd53271192d6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.19041.746_none_7cf0c625c3984554\f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.1_none_e1940364964a9f22\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-mydocs_31bf3856ad364e35_10.0.19041.746_none_1df0afc39d31a240\r\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\StoreLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.153_none_d1a66a77fe3b57f3\r\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-efsadu.resources_31bf3856ad364e35_10.0.19041.1_it-it_03b7d3b5fe9ffad7\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_11.0.19041.1_en-us_79a8d08cd7e5bb3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_10.0.19041.1_nb-no_d81be221202a5cfd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_10.0.19041.1_it-it_cedacf4a1a69975a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-o..chine-dui.resources_31bf3856ad364e35_10.0.19041.1_it-it_76317e6e4376b397\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-p..paces-sso.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c2763f858318c9a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.5\MOF\de\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..mplus-msc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_939d08f83e7738f4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..extension.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c9cdc532699bfa75\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-api.resources_31bf3856ad364e35_10.0.19041.1_es-es_7efcf868936caefd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-n..orkbridge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3479a33a02882d80\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-o..-policies.resources_31bf3856ad364e35_10.0.19041.1_en-us_c4ed144ec53159c2\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..vice-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8de96efd95b1f71e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-hololens.html | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-dynamic-image_31bf3856ad364e35_10.0.19041.1288_none_b508821aea842ab0\n\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours.resources_31bf3856ad364e35_10.0.19041.1_it-it_acd68d34a2af5834\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmpeffects_31bf3856ad364e35_10.0.19041.1266_none_6e13bacd44a30951\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-tapi3.resources_31bf3856ad364e35_10.0.19041.1_es-es_739942d33ef804fe\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_269329e90d8f3b5c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..nable-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_2ef3d577b3bc2a0c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-t..-provider.resources_31bf3856ad364e35_10.0.19041.1_en-us_a7c469a4e8e6d9e6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-onecore-c..propsheet.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e6f4b500a13a4255\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-n..irtualbus.resources_31bf3856ad364e35_10.0.19041.1_de-de_031a66841b9d46d5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-p..n-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_9d8dfe977be16a35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..kenbroker.resources_31bf3856ad364e35_10.0.19041.1_de-de_e730d3144802fce8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\Boot\EFI\da-DK\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\5.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| File created | C:\Windows\INF\SMSvcHost 3.0.0.0\0410\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\ = "CRYPTED!" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\shell\open | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.huis_bn\ = "ZRMHJJVQXVFBFMX" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZRMHJJVQXVFBFMX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ox6l993g246G8Ko.exe,0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe
"C:\Users\Admin\AppData\Local\Temp\b26784415a946873e073c3838499fb1bea96f1b6a637e15f1ae85662f8598979.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| FR | 40.79.141.153:443 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/3208-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/3208-135-0x00000000005A0000-0x00000000005CA000-memory.dmp
memory/3208-136-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/2768-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | acea7e35f8878aea046a7eb35d0b8330 |
| SHA1 | 16df89d9ab87b2e0473b284bcd808109a1d5c830 |
| SHA256 | 8beeea993369162d71fc7b02b119e546430f6884e5e21dd650f7c754a98dfefe |
| SHA512 | 99982d107debd5715e40b4afac3c3f95b871aae20b4e9102a59712c5c63b1fc67a45b6c4c2413b02bae49fa8bf860d3b5dc5b597fca855632aa771c6410d8d71 |
memory/3208-140-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4952-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
| MD5 | bc9b44d8e5eb1543a26c16c2d45f8ab7 |
| SHA1 | 6486e7f0a5a6fdd35913f790af2e3effc42ee994 |
| SHA256 | 767312fe8e5224f5ab86f92dbe6bb7a9bfbab2850ff7238b88d1af753a5563ce |
| SHA512 | 50b357619d89158aeda54c759af41f7a6a37a279a53c9a2995857f4603532ac553e593a4ce4b287330cb66eb59646cac8449731965e7d4074c6217e818cc5e9e |
memory/2768-144-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4444-145-0x0000000000000000-mapping.dmp
memory/960-146-0x0000000000000000-mapping.dmp
memory/224-147-0x0000000000000000-mapping.dmp
memory/3128-148-0x0000000000000000-mapping.dmp
memory/1376-149-0x0000000000000000-mapping.dmp
memory/3848-150-0x0000000000000000-mapping.dmp
memory/3676-151-0x0000000000000000-mapping.dmp
memory/3664-152-0x0000000000000000-mapping.dmp
memory/2768-153-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/2672-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\РАСШИФРОВАТЬ ФАЙЛЫ.txtРАСШИФРОВАТЬ ФАЙЛЫ.txt
| MD5 | 2257eeabd7acd4f3fce17525c2ba93e3 |
| SHA1 | 8807bb45e47534f928a08f20520b97eaea254fff |
| SHA256 | b0d70f954eff523a253f4811051b149529b8e8a93e721e4c26cb399953b24117 |
| SHA512 | 4f9d73cdbbf9e743df442d8f87153d869be1911953a92ee4d572135ac01cd8f1fc6a962e494c4429b22da7efaf8192d5bea5614c09039a0aadd3e24b253a50fa |
C:\Users\Admin\AppData\Local\Temp\a9odwg20k.jpg
| MD5 | 3773fa0f5897ea585a8c07c4030b0b83 |
| SHA1 | 5f9c1ce9b5a00a8c219f89faa018581a37be12d2 |
| SHA256 | 75151aece601ec9160c3a006d187837cadedc95382502e19431b776042d7f12c |
| SHA512 | b25b382f99e757d64dd663fa817d9cd5f773aa04986d817fdb0ca6d658cae65f9531e8d83c52d7b5c77b37e4421451fd2f745defcb05146bbdab37b06a4f9f15 |