xorist | a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96

General

Target

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Size

360KB
MD5

d18e67d2a58494b2c71b89cacffb2194
SHA1

c1ad5621e0c215a31d10f181c0e9ab3871dcf64d
SHA256

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96
SHA512

b2c1f6330558d77dd87f81470e0fe9c1b9d1849f621be829c67fe8d52e7d2c2304ca68f0a97e0a5cc409f16d0458cf051739fdd43e78c0b453a9ad466723a7b1
SSDEEP

6144:0sNDYMXrZmzkIZxXn+cAhokJ8zlSOC0b4RHHrpncsZzw1RXE2BYrMEhh3WnM/t9L:0CLNbInn+cw8NNiH9ncsNw1DBYZwnat0

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2844-4755-0x0000000000400000-0x0000000000520000-memory.dmp	family_xorist
behavioral1/memory/2844-4767-0x0000000000400000-0x0000000000520000-memory.dmp	family_xorist
behavioral1/memory/2844-4857-0x0000000000400000-0x0000000000520000-memory.dmp	family_xorist
behavioral1/memory/2844-4858-0x0000000000400000-0x0000000000520000-memory.dmp	family_xorist
behavioral1/memory/2844-4861-0x0000000000400000-0x0000000000520000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist

Drops file in Drivers directory 7 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Drops startup file 1 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\R4r5E8RBfwmV5am.exe"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Drops file in System32 directory 64 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nettun.inf_amd64_neutral_bd24fb174fabec97\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Ultimate\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasic\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicN\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_neutral_26a79521b746fc31\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Enterprise\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\StarterN\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\en\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\winrm\0410\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kkmpceehkmppbejm.bmp"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2844-2-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2844-4755-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2844-4767-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2844-4857-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2844-4858-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2844-4861-0x0000000000400000-0x0000000000520000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Photo Viewer\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Mozilla Firefox\fonts\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Media Player\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Journal\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Drops file in Windows directory 64 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_5120bf8b19591afa\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\msil_system.drawing.design.resources_b03f5f7f11d50a3a_6.1.7600.16385_de-de_2c9ec3fd5f17e351\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehrec.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2f523b8e8e65e862\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label_31bf3856ad364e35_6.1.7600.16385_none_b323fd6ee3f98653\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ncsi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_23432a501fa0d204\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f3704e91edeb9750\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bbb1c7b789d49aaa\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_nulhpopr.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f2cb7b627ca511a7\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..relevated.resources_31bf3856ad364e35_6.1.7600.16385_es-es_83dbde299525c2eb\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-errorreportingui_31bf3856ad364e35_6.1.7600.16385_none_ce3b80c0636ae33d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..onents-jetexchlotus_31bf3856ad364e35_6.1.7600.16385_none_c3120b63aec6aa01\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_68793793d8498bad\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_91706225b47c99f7\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ado15-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8d09557a34245e0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-terminalmanager_31bf3856ad364e35_6.1.7601.17514_none_5ca32904edfb1c77\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ration-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_161fe1a0b6aae7b7\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_6.1.7600.16385_none_90cd9ae919559d36\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_24ca1e2f861cc656\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_de-de_38aa8180a988041c\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c13d58e431d898bb\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1145_31bf3856ad364e35_6.1.7600.16385_none_7f646ca72322e46a\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b47a8e54a5b667dd\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_prnca00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a5e5dc6b6ec43ed1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whhelper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_992787fdf80a08dc\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..mecontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_38f8468bba76d98d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-marlett_31bf3856ad364e35_6.1.7600.16385_none_aa49e9141901cae9\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_357580b015bbeb72\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-choice_31bf3856ad364e35_6.1.7601.17514_none_218cf07ba262766c\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2e771ede4247d84b\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ntlanui2.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a12d04f6f74c4893\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icm-dccw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_20d60f5b359fd24d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dd7d190c3acc8e53\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_db35c73b64cc3033\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil.resources_31bf3856ad364e35_8.0.7600.16385_en-us_48bafdace8a39fec\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\Clip_480i_5sec_6mbps_new.mpg	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..fe-catsrvut-comsvcs_31bf3856ad364e35_6.1.7600.16385_none_7298bb510131906e\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_ef3338f363c6403c\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_prnlx00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d5b3ba43383b76c5\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_c9617fb603a37c36\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-o..lfeatures.resources_31bf3856ad364e35_6.1.7600.16385_en-us_327825b172b59b89\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_netfx35linq-microso..ild.conversion.v3.5_31bf3856ad364e35_6.1.7600.16385_none_397c457d247d92a0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-journal.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7de6b68057a5c192\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b5f71ef98aa070f1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_879f37991a58ee6d\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_nettun.inf_31bf3856ad364e35_6.1.7600.16385_none_51c6fa78585e762e\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.lug.resources_31bf3856ad364e35_6.1.7600.16385_it-it_15c431dc2f3514b0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_wpf-presentationframework.luna_31bf3856ad364e35_6.1.7600.16385_none_8d538a1c22ec6c06\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d50761e680c7654b\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0011\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..y-service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_42809615928e7252\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a173363f4311c801\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-atl_31bf3856ad364e35_6.1.7600.16385_none_0715316d7363738e\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7601.17514_none_764c15a2f476f130\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f5aae09bfa57aed0\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1227851faa338c30\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ywmdmcesp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9e0f3fdd6dd608a1\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\amd64_prnts002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3590aad19ae7a69f\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c048c7ea3fca805a\HOW TO DECRYPT FILES.txt	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b71e2f823ddacf22\license.rtf	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

Modifies registry class 10 IoCs

Processes:

a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shadaloo2\ = "YUMODILULDNZGLE"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\ = "CRYPTED!"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\R4r5E8RBfwmV5am.exe,0"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\shell\open	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.shadaloo2	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\DefaultIcon	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\shell\open\command	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\shell	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YUMODILULDNZGLE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\R4r5E8RBfwmV5am.exe"	a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe

C:\Users\Admin\AppData\Local\Temp\a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe
"C:\Users\Admin\AppData\Local\Temp\a5663a1281ae0cb8fc8e858f00b3a5b6cc6084626ec9d07a2d2e226d5df4fb96.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
383B

MD5
eca1b2db16019e4cd5ffb7bdfca70551

SHA1
719412e310b24357626c64247bd984c9830a24ce

SHA256
580d3b111bf25c4db730da0274d08f90c104a4061c0a255a70c4f7a1ab2571a5

SHA512
821314a4c2e3dd02a55b72519018cbc9e4268e0ba046b8aa1ac0f8fcd2fa2a270a8a5173263eae090c74db31e81248b207bd80fe0ee487deb2a66d6d792e8759

Download Submit
memory/2844-2-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2844-4755-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2844-4767-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2844-4857-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2844-4858-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2844-4861-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads