Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2023 21:01
Behavioral task
behavioral1
Sample
307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Resource
win7-20220812-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe
-
Size
14KB
-
MD5
4a42f739ce694db7b3cdd3c233ce7fb1
-
SHA1
68fcc99e719b57308c9b1b3d4eef91dec62d02e5
-
SHA256
307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b
-
SHA512
15137fdc43519be2e83346d7a07c84d439e4da22e328722cb3da6bf1bcfbf584b2594901582ddf6ea363ae515e37cb1f32c407a8ebfe747a13562de927f92f54
-
SSDEEP
384:0prr1gkDCgSZ75pbB7E68AvXIHqe939g83FMENKsB:arVDCp/h8QIOwiO
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\HOW TO DECRYPT FILES.txt
Ransom Note
All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.
Encrtyption was produced using unique KEY generated for this computer.
To decrypted files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
Payment have to be made in maxim 24 hours
To retrieve the private key, you need to pay 3 BITCOINS
Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK
After you've sent the payment send us an email to : [email protected] with subject : ERROR-ID-63100778(3BITCOINS)
If you are not familiar with bitcoin you can buy it from here :
SITE : www.localbitcoin.com
After we confirm the payment , we send the private key so you can decrypt your system.
Emails
Wallets
1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK
Signatures
-
Detected Xorist Ransomware 2 IoCs
resource yara_rule behavioral2/memory/4808-133-0x0000000000400000-0x000000000040F000-memory.dmp family_xorist behavioral2/memory/4808-134-0x0000000000400000-0x000000000040F000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
resource yara_rule behavioral2/memory/4808-133-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4808-134-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe" 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Music\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Media\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\SharedLibrary.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-white.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso50imm.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-125.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-200_contrast-black.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\da.pak.DATA 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nb.pak.DATA 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_5_Loud.m4a 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\3DViewerProductDescription-universal.xml 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-high.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_contrast-black.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ar.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x64\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-40_altform-unplated.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-16_altform-unplated.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penjpn.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Connecting_Loud.m4a 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\Windows Defender\it-IT\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-unplated.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close-2.svg 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\Microsoft.VisualBasic.Activities.CompilerUI.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Security.Resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\System.Speech.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\JSC.Resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\e0d84dc25c6b76503171beec9d740dde\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\es-ES_BitLockerToGo.exe.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design.resources\v4.0_4.0.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\kscaptur.inf 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\it-IT\TrustedInstaller.exe.mui 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\BITS\0000\bitsctrs.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\es\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Fonts\GOTHICI.TTF 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Media\Windows Hardware Insert.wav 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\UGatherer\040C\gsrvctr.ini 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Linq.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\assembly\GAC_MSIL\System.Core.Resources\3.5.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\c_swdevice.inf 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectPlay-OC-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\vbc7ui.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\Extras.png 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\alink.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-AssignedAccess-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\netvwwanmp.inf 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Storage-VSP-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-AssignedAccess-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\de-DE\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\aspnet_rc.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\INF\mdmgl004.inf 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\INF\MSDTC Bridge 4.0.0.0\0407\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.Resources\3.5.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Dynamic.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.ServiceModel.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi\v4.0_10.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.DirectoryServices.AccountManagement.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\35da45d13c5581cadfd0546af1ffa6e9\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Log.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Network.xml 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.Disk.xml 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\servicing\Packages\HyperV-HvSocket-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Common.xml 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Runtime.Remoting.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.EnterpriseServices.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\JSC.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1832 2976 WerFault.exe 35 -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe" 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\ = "CRYPTED!" 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open\command 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\shell\open 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected] 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\ = "BHIIFQHRNPIFYZO" 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\DefaultIcon 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHIIFQHRNPIFYZO\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\en6n2s2nFSTC0R9.exe,0" 307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{BCFD4AD0-EA4F-401A-A3BF-2540221D6879} explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 4292 explorer.exe Token: SeCreatePagefilePrivilege 4292 explorer.exe Token: SeShutdownPrivilege 4292 explorer.exe Token: SeCreatePagefilePrivilege 4292 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4292 explorer.exe 4292 explorer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4292 explorer.exe 4292 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe"C:\Users\Admin\AppData\Local\Temp\307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.bin.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4808
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 2976 -ip 29761⤵PID:1552
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2976 -s 29161⤵
- Program crash
PID:1832
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5183a3c38b0cecfec6e071e5e0230c9d5
SHA1512f4f9f160af1a4097d087a8537c286dd19783e
SHA256dbcb7097128d51acaf60685dc7bb849d57499d4ce521e584166421f6d17a3cc1
SHA51241f4510596979981d2fd13c20974af7a1a6a3f9ab205c54753f92bee3b75b7c2e65d5292db0b9ee932dede48c1b3e10074c2a7a6509cd00dabc2e169467e36c4