xorist | 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-01-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Size

14KB
MD5

4a42f739ce694db7b3cdd3c233ce7fb1
SHA1

68fcc99e719b57308c9b1b3d4eef91dec62d02e5
SHA256

307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b
SHA512

15137fdc43519be2e83346d7a07c84d439e4da22e328722cb3da6bf1bcfbf584b2594901582ddf6ea363ae515e37cb1f32c407a8ebfe747a13562de927f92f54
SSDEEP

384:0prr1gkDCgSZ75pbB7E68AvXIHqe939g83FMENKsB:arVDCp/h8QIOwiO

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\HOW TO DECRYPT FILES.txt

Ransom Note

All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. Payment have to be made in maxim 24 hours To retrieve the private key, you need to pay 3 BITCOINS Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK After you've sent the payment send us an email to : [email protected] with subject : ERROR-ID-63100778(3BITCOINS) If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.

Emails

[email protected]

Wallets

1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

Signatures

Detected Xorist Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2020-56-0x0000000000400000-0x000000000040F000-memory.dmp	family_xorist
behavioral1/memory/2020-57-0x0000000000400000-0x000000000040F000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Drops file in Drivers directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2020-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe"	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTOVLSHV\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NWV1K27G\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6THCX874\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\atl100.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPMCPBP6.CFG	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\amdide.sys	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\Amd64\LEXC762.PPD	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sxs.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot2\dberr.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DisplaySwitch.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ramdisk.inf_amd64_neutral_798b5d4dd3f22a07\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de\AuthFWWizFwk.Resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sdbinst.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\Amd64\OK9300_5.PPD	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~lt-LT~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00x.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mmcbase.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tbssvc.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\newdev.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\compstui.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\iscsicpl.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brci14a.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJOP84.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS4172E3.PPD	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzc3w71.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SA380903.PPD	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cdosys.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fde.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\nlmgp.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\vds.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\setupcln.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-SideShow-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\WinSCard.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaxx002.inf_amd64_neutral_fbe080a7dd77c4a3\xrWPusd.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msobjs.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\Brmf2wia.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\prnhp002.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesPerformance.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\prnts003.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\basecsp.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\61883.sys	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\PRNEP003.CAT	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-Customization-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdminfot.inf_amd64_neutral_fc6bcd80e9e6a3c3\mdminfot.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.vdf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\prflbmsg.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\systemcpl.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\hidir.sys	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBBR342.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI4171E3.PPD	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\SysWOW64\el-GR\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\SysWOW64\en-US\schtasks.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado15.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CERTINTL.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\DVD Maker\fr-FR\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\DirectDB.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SOCIALCONNECTOR.DLL	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_lt.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\corbeli.ttf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ja-JP\hh.exe.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SbsNclPerf.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\a415a146afc72f13f691f69a11ab5609\Microsoft.Vsa.ni.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\ja-JP\DiagPackage.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHost_v0400.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14b62006#\2c7e795fb7d690d3b8931d360e4ce7f5\System.ServiceModel.Activation.ni.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Serialization.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Numerics.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.Memory.xml	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\diagnostics\index\AudioPlaybackDiagnostic.xml	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\fr-FR\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Delta\Windows Logon Sound.wav	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Editions\ProfessionalEdition.xml	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\5d81c3e6fa9f3f78cd8d06d8cf2caff0\System.Data.Services.Client.ni.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Channels.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~sk-SK~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ehome\ehiwmp.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\de\MSBuild.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony.psd	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\GABRIOLA.TTF	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web_mediumtrust.config	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\inf\mdmgsm.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\inf\mdmmot64.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\83e220cceaab3e2595510ccaeb5f01c1\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Fonts\app936.fon	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\inf\faxcn001.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\inf\ASP.NET\0005\aspnet_perf2.ini	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Duplex.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.resources\2.0.0.0_it_b77a5c561934e089\System.Data.OracleClient.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\Help\Windows\en-US\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\inf\mdmdcm6.inf	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\de-DE\DiagPackage.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Media\Windows Information Bar.wav	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\System.Data.Resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\es-ES\PresentationHostDLL.dll.mui	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_ja_b77a5c561934e089\System.Windows.Presentation.resources.dll	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\ = "CRYPTED!"	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\DefaultIcon	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe"	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\ = "BHIIFQHRNPIFYZO"	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open\command	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe,0"	307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe

C:\Users\Admin\AppData\Local\Temp\307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
"C:\Users\Admin\AppData\Local\Temp\307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini

Filesize
129B

MD5
183a3c38b0cecfec6e071e5e0230c9d5

SHA1
512f4f9f160af1a4097d087a8537c286dd19783e

SHA256
dbcb7097128d51acaf60685dc7bb849d57499d4ce521e584166421f6d17a3cc1

SHA512
41f4510596979981d2fd13c20974af7a1a6a3f9ab205c54753f92bee3b75b7c2e65d5292db0b9ee932dede48c1b3e10074c2a7a6509cd00dabc2e169467e36c4

Download Submit
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2020-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads