08f254697cab086135d454e80c0ca0c24e3982ac7d080f4fe3e9e1ba0a1e28a5

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Size

75KB
MD5

7b68b999bb72801c25daf56a7f3d2aff
SHA1

4b06e38e03863361d993fb6a952a1a76a59262ac
SHA256

fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4
SHA512

5d2f76f7cea6a2c744c38cf70d9423b33b8977c42d06434ff6eff973fbe54465338c33099ab7ab0b57bb103a2230238c7ec7a52cf3483e9ec6cc37b0c4120d35
SSDEEP

768:D0FmBkpKjPYpcPYPR+P+3CYOyyEStf0wmWQgoUqwo8IwGKd3ybg7lyL10XI3Ou4D:DOhCOR+tYdHSsWQdJ9EEJ3CmfiViK7t

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe"	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00g.inf_amd64_neutral_2926840e245f88f6\Amd64\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0015\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\DriverStore\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcumd.inf_amd64_neutral_db43b26810939b3e\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_neutral_492d4e047d14bde9\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdsm.inf_amd64_neutral_be2b348981b2ef17\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\ras\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\wbem\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdm3com.inf_amd64_neutral_11abcf129a29fb9f\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\IME\imekr8\dicts\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\spp\tokens\ppdlic\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\WCN\it-IT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_neutral_14f9249844f1cf17\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_neutral_8a1323fc68ad84af\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_neutral_836a6716cd56c692\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0005\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\migration\de-DE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\ar-SA\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupra.inf_amd64_neutral_c4fe81ea47c6df87\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_neutral_413d17c790177eef\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\SysWOW64\migration\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\System\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\System\ja-JP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\More Games\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Common Files\System\ado\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Mozilla Firefox\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_netnvma.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cff5125e52430440\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_microsoft.backgroun..anagement.resources_31bf3856ad364e35_6.1.7600.16385_es-es_84b8f39c803939ca\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4fcda74a85457284\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\091b931d0f6408001747dbbbb05dbe66\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\inf\ServiceModelService 3.0.0.0\0407\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..on-common.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d0bf3f15369a9096\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1b440aaf4eb78dc9\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_microsoft.powershell.editor.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_19e163a702c644df\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_taskscheduler.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b0bb5af2c30c4c29\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-twext.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a0fb3529939d794f\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_netbvbda.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ecc8516d58bd30df\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ac916d5bcc11873\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0407\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MOF\es\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-hid-user_31bf3856ad364e35_6.1.7600.16385_none_3cf5e466d58070d9\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-processmodel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aba32051d9b04b35\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_3e801d820cb4f389\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ortingapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_afbf2c4f31c8c9ac\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eed392960027a512\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_43e9d5eaf537a5d6\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_usb.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_279626901d0e291b\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_microsoft.security...ionwizard.resources_31bf3856ad364e35_6.1.7601.17514_it-it_94c26612984fe6ae\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\Speech\Common\fr-FR\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_6.1.7601.17514_none_f8152447fe76675d\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16385_none_2685798050c0687a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2d0636b8eba02a0b\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e2f26c17bb3cd5\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-adsicompatibility_31bf3856ad364e35_6.1.7600.16385_none_439022b0fb0c8466\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_en-us_524aef45cc8b8229\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..rtup-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dfe68ff40492cd72\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shmig_31bf3856ad364e35_6.1.7601.17514_none_bdc47f0a8dbe8711\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_c05aebf71c48096c\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ellprovider-nonmsil_31bf3856ad364e35_6.1.7600.16385_none_debc8992b15a04c2\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediametadatahandler_31bf3856ad364e35_6.1.7601.17514_none_e946ed110887817a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tpm-tbs-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3d6364828cca0cab\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_mpio.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3155a42509710829\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_netfx-applaunch_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_51e5e402131afc4a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_89701e1decba44ab\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\b9977dd97ed7006f1d7968495c594bc5\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\Globalization\MCT\MCT-AU\Theme\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_32c83d2a27a41a20\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..allconfig-installer_31bf3856ad364e35_6.1.7600.16385_none_731e1fe6187914ea\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.1.7601.17514_none_eb5a2082182f6873\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1187dc0b62b80795\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..iisclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d6d89b16e45ae0ba\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d6907a3e37816f6e\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..r-tlntsvr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3ae7d50c7beeefd1\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_nvraid.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_14b80611275f4a2f\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\0af51d481e7c0a48e0fb5164e38e9465\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_netfx-msbuild_targetfiles_b03f5f7f11d50a3a_6.1.7600.16385_none_61b8cce839a2db10\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bits-proxy4_31bf3856ad364e35_6.1.7600.16385_none_0d39ccd1226840e2\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0b3d708ea6bfcc9\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_wpf-uiautomationclient_31bf3856ad364e35_6.1.7600.16385_none_da4f4e53a29c047a\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_microsoft.web.management.iis.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a36e3a6951a22675\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5913064a54494ed7\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..cy-gptext.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f13512b29fe7bcec\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onents-mdac-ado15-r_31bf3856ad364e35_6.1.7601.17514_none_5302da915475aafb\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_203b5e1fb499032b\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1ce65a8a5424fac2\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\amd64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8002fc80e6c60075\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\msil_windowsformsintegration.resources_31bf3856ad364e35_6.1.7601.17514_es-es_802f9b308c3b9581\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..stomloggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_16c8c77aa702cc3f\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_afb6b99ecfc04975\HOW TO DECRYPT FILES.txt	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CrypBitsPT3	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\ = "CRYPTED!"	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\DefaultIcon	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open\command	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe"	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CrypBitsPT3\ = "LVXDYIOGEBPPXCE"	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08M2pIO3BBkM9E9.exe,0"	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVXDYIOGEBPPXCE\shell\open	fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe

C:\Users\Admin\AppData\Local\Temp\fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe
"C:\Users\Admin\AppData\Local\Temp\fb4e2be09a30d71df83241949a9a827a62b903ce1f78e099882d0f6794fcf2e4.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
541B

MD5
cf59be028d5f7ae4c5475bf318ad9adc

SHA1
6d15b3c3038f06b1db408135e8c95c1dc24faacc

SHA256
295cbbe85f3ff307698f56cc511d1656ad0bf468aa3a2c65c18bad459124b0f5

SHA512
5ffd25f0efb7e0b6f75ad6052efacf12b2ab12a699ad362ef94fa2b6d5393772e3f09843c7c28a050ab03f0b9e8815957087d73ecfc4f498a1049a13892f606d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads