xorist | d3d53f9f2532b7fabbd75f06c46f9e53aae2b01a5455039375e58457118a9c8a

Analysis

max time kernel
102s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Size

70KB
MD5

dc21484e6789296fd8909c2534955a26
SHA1

d93e201935263c143eb4328479e46075096cb9ea
SHA256

8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f
SHA512

ceb82b90d543a2e1d5f3ad922b5d211095653fe91371f72f9034d5c99821ed1a1022d737f8b11708982ec021ea913f15e4a37342f5df7517e45994a93faf40df
SSDEEP

768:/rVDC0PDYPR+P+3CYOyyEStf0wmWQgoUqwo8IwGKd3ybg7lyL10XI3Ou4sqwL/U/:/r4NR+tYdHSsWQdJ9EEJ3CwfiViKvt

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 11 IoCs

resource	yara_rule
behavioral1/memory/1048-301-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-2145-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-3461-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-3884-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4794-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4795-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4796-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4797-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4798-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4799-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/1048-4800-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1048-301-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-2145-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-3461-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-3884-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4794-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4795-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4796-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4797-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4798-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4799-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1048-4800-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe"	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\migwiz\it-IT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\Setup\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\wbem\xml\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\WCN\fr-FR\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\DriverStore\ja-JP\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\040c\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\WCN\ja-JP\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wd.inf_amd64_neutral_759109899b486d47\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0014\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\com\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_neutral_ece4b1cc5aee6a38\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\nl-NL\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_neutral_a2cf745000e2ea92\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Common Files\System\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Common Files\System\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Media Player\de-DE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\System\ado\es-ES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_divacx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a639398e05431496\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appwiz_31bf3856ad364e35_6.1.7601.17514_none_69ec3dec3d85b086\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f3250f5cd121dc4e\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..scheduled.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3027d9ce4248ee1a\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..r-tlntsvr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_054c35e9c2e5f687\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_wcf-system.io.log_b03f5f7f11d50a3a_6.1.7600.16385_none_6747ad3062edf0b3\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\inf\usbhub\0C0A\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\040C\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_elxstor.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27f32947dd73edb6\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ehprivjob.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_21a924e803f68af4\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..d-chinese-shuangpin_31bf3856ad364e35_6.1.7600.16385_none_7aab2462f08e2d02\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_588ed2f5c59731da\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20002_31bf3856ad364e35_6.1.7600.16385_none_ad832f27004e05fb\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..rsalcrt-apifwd-win7_31bf3856ad364e35_6.1.7601.18972_none_a9a51144251fb166\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\msil_system.resources_b77a5c561934e089_6.1.7601.17514_de-de_3a7bde6078e3bca5\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20106_31bf3856ad364e35_6.1.7600.16385_none_ad57d8af006e8f60\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-app.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6eed53913761f98e\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-user-pnpevents_31bf3856ad364e35_6.1.7600.16385_none_5bb427e315bff96c\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-xwizards.resources_31bf3856ad364e35_6.1.7600.16385_en-us_422c9f9a3bec75c0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fd34f8922d591280\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-waitfor.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e073611e2a5088c9\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d69edde14c81daa9\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-vssproxystub_31bf3856ad364e35_6.1.7600.16385_none_3092767d8b44f463\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\inf\de-DE\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b8c287ad020dcf15\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..diafoundationplugin_31bf3856ad364e35_6.1.7601.17514_none_7a6b897811df690c\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..tfmonitor.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b341d56145c1df1a\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_391951119116a53b\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ormancebasecounters_31bf3856ad364e35_6.1.7600.16385_none_97bcd9bcab2b9b3a\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3fd23ebd985895cc\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11c81aefa707c6a1\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0475772d6b8462f3\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tkeyboard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_441e533e5fd46b57\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_it-it_85f6ad66bd1a90cb\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\msil_system.servicemodel.resources_b77a5c561934e089_6.1.7601.17514_es-es_261bbc17b6aa8d4f\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cpfilters.resources_31bf3856ad364e35_6.1.7600.16385_it-it_11521d321083d211\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..host-peer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_58c73f7a3f1b3297\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..e-arabictypesetting_31bf3856ad364e35_6.1.7600.16385_none_ac30f980e1dc3fac\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000412_31bf3856ad364e35_6.1.7600.16385_none_43a886587d9fde59\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..cess-control-driver_31bf3856ad364e35_6.1.7600.16385_none_22f4887244c226bd\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\msil_microsoft.powershel..s.utility.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5442f6186a1fc0ae\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-sharing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c067b1f64e19b4f1\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ncsi_31bf3856ad364e35_6.1.7600.16385_none_08979b3a32950ffa\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\servicing\it-IT\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e4cd28cf884ea080\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..mogrifier.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e362b25865b31d2\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventcreate.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_16ee1a44d3e58011\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ervices-wmiprovider_31bf3856ad364e35_6.1.7601.17514_none_4957978495a0d0c0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_netr7364.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_57f6f35af17d3f59\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_5ebcae451cfaedaf\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..layer-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3e7b175e3720aace\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8e7629e72640d3\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-xwizards.resources_31bf3856ad364e35_6.1.7600.16385_it-it_72b8cd404db9f20f\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..lelevated.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ce201b940a7d6ea5\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f75db5c8082c7dd5\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_c9b9bfc685ed05d3\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-appwin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_579f12b3962a0f4c\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_53b2bc0371bdfaf0\HOW TO DECRYPT FILES.txt	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\DefaultIcon	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe,0"	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe"	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CrypBitsPT3	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\ = "CRYPTED!"	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open\command	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CrypBitsPT3\ = "LVXDYIOGEBPPXCE"	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE	8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe

C:\Users\Admin\AppData\Local\Temp\8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe
"C:\Users\Admin\AppData\Local\Temp\8fbb2c5c20d0a00d1c4ba43d5209e6e3871b98207b03f1aa7483476c1355a12f.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1048

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
541B

MD5
cf59be028d5f7ae4c5475bf318ad9adc

SHA1
6d15b3c3038f06b1db408135e8c95c1dc24faacc

SHA256
295cbbe85f3ff307698f56cc511d1656ad0bf468aa3a2c65c18bad459124b0f5

SHA512
5ffd25f0efb7e0b6f75ad6052efacf12b2ab12a699ad362ef94fa2b6d5393772e3f09843c7c28a050ab03f0b9e8815957087d73ecfc4f498a1049a13892f606d

Download Submit
C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt

Filesize
541B

MD5
cf59be028d5f7ae4c5475bf318ad9adc

SHA1
6d15b3c3038f06b1db408135e8c95c1dc24faacc

SHA256
295cbbe85f3ff307698f56cc511d1656ad0bf468aa3a2c65c18bad459124b0f5

SHA512
5ffd25f0efb7e0b6f75ad6052efacf12b2ab12a699ad362ef94fa2b6d5393772e3f09843c7c28a050ab03f0b9e8815957087d73ecfc4f498a1049a13892f606d

Download Submit
memory/1048-4795-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-3461-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-3884-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4794-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-2145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4796-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4797-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4798-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4799-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-4800-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-301-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download