teslacrypt | 1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Size

360KB
MD5

9213073f63c1542315acdad27c0b8b78
SHA1

77b5765cd37ccfb7608611291d66e68b7d68e2dc
SHA256

1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
SHA512

9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
SSDEEP

6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ngmvt.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/232E2B498C85901E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/232E2B498C85901E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/232E2B498C85901E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/232E2B498C85901E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/232E2B498C85901E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/232E2B498C85901E http://yyre45dbvn2nhbefbmh.begumvelic.at/232E2B498C85901E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/232E2B498C85901E

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/232E2B498C85901E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/232E2B498C85901E

http://yyre45dbvn2nhbefbmh.begumvelic.at/232E2B498C85901E

http://xlowfznrg4wf7dli.ONION/232E2B498C85901E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2828 cmd.exe

pid	process
2828	cmd.exe

Drops startup file 3 IoCs

Processes:

lcwibkvsrmwn.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe

Executes dropped EXE 1 IoCs

Processes:

lcwibkvsrmwn.exe

pid process

2816 lcwibkvsrmwn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lcwibkvsrmwn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\jrbadhb = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\lcwibkvsrmwn.exe"	lcwibkvsrmwn.exe

Drops file in Program Files directory 64 IoCs

Processes:

lcwibkvsrmwn.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\security\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_ReCoVeRy_+ngmvt.png	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_ReCoVeRy_+ngmvt.html	lcwibkvsrmwn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_ReCoVeRy_+ngmvt.txt	lcwibkvsrmwn.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_9213073f63c1542315acdad27c0b8b78.exe

description	ioc	process
File created	C:\Windows\lcwibkvsrmwn.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
File opened for modification	C:\Windows\lcwibkvsrmwn.exe	VirusShare_9213073f63c1542315acdad27c0b8b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000255a3cd1bee87599ed6693ba2670692e37c881761568cd0c2b14095e47f8051b000000000e8000000002000020000000db798113c6dc0d146a657dccbc2ac4f20ec7e6e120265faf52e9eadc965fe8122000000034de84c82c2979cbb40ffb9f60d26e6eab5f38eabb58ae1c82202577d162822a400000009babba90f938f052fb15ec87e8a5f679bb0a1df8b12efd2bf03bd28c342d0298960a526612f8a7c77b98db8bd88d879ed19dc2814969148b336d2fd8fa99d9f2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09527666357da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91AB6261-C356-11EE-9BAD-F2B23B8A8DD7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413210575"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000072ccd73c51f59eb64b64ed482e20b58d7817fb64dfa0fdd8f6d4ffec824c06af000000000e8000000002000020000000f7f919f956eb022bfc8337e2d8cb2f925d92108bfff809200c37a6f9bc3929bf90000000cb06ab6955afc6a188068244b23343ee609c123abe5c98098125e4faec516671927be401ba222157a1f159cafb701157ddeb3b1c14782514f0c5d32073ad390d696a9c1cf7188fc661d392cfbf7a9541100cfc2083c7448c87ad160e0abbc648f345960d735a4ab33ce4715aed3c6b35b7d8c1477f2b1659ccdf65652bb1d3b66954693db9f44129de17201aeab260b5400000005e60b9380f1a7f913ed1f8d7d83064607af7bb89950613d36f51589f5d07e0676a21a39876e58cca3b6cdf5d731743f7d68346745e52f484933796127bd74a35	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1992 NOTEPAD.EXE

pid	process
1992	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lcwibkvsrmwn.exe

pid	process
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe
2816	lcwibkvsrmwn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_9213073f63c1542315acdad27c0b8b78.exelcwibkvsrmwn.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe
Token: SeDebugPrivilege	2816	lcwibkvsrmwn.exe
Token: SeIncreaseQuotaPrivilege	2956	WMIC.exe
Token: SeSecurityPrivilege	2956	WMIC.exe
Token: SeTakeOwnershipPrivilege	2956	WMIC.exe
Token: SeLoadDriverPrivilege	2956	WMIC.exe
Token: SeSystemProfilePrivilege	2956	WMIC.exe
Token: SeSystemtimePrivilege	2956	WMIC.exe
Token: SeProfSingleProcessPrivilege	2956	WMIC.exe
Token: SeIncBasePriorityPrivilege	2956	WMIC.exe
Token: SeCreatePagefilePrivilege	2956	WMIC.exe
Token: SeBackupPrivilege	2956	WMIC.exe
Token: SeRestorePrivilege	2956	WMIC.exe
Token: SeShutdownPrivilege	2956	WMIC.exe
Token: SeDebugPrivilege	2956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2956	WMIC.exe
Token: SeRemoteShutdownPrivilege	2956	WMIC.exe
Token: SeUndockPrivilege	2956	WMIC.exe
Token: SeManageVolumePrivilege	2956	WMIC.exe
Token: 33	2956	WMIC.exe
Token: 34	2956	WMIC.exe
Token: 35	2956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2956	WMIC.exe
Token: SeSecurityPrivilege	2956	WMIC.exe
Token: SeTakeOwnershipPrivilege	2956	WMIC.exe
Token: SeLoadDriverPrivilege	2956	WMIC.exe
Token: SeSystemProfilePrivilege	2956	WMIC.exe
Token: SeSystemtimePrivilege	2956	WMIC.exe
Token: SeProfSingleProcessPrivilege	2956	WMIC.exe
Token: SeIncBasePriorityPrivilege	2956	WMIC.exe
Token: SeCreatePagefilePrivilege	2956	WMIC.exe
Token: SeBackupPrivilege	2956	WMIC.exe
Token: SeRestorePrivilege	2956	WMIC.exe
Token: SeShutdownPrivilege	2956	WMIC.exe
Token: SeDebugPrivilege	2956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2956	WMIC.exe
Token: SeRemoteShutdownPrivilege	2956	WMIC.exe
Token: SeUndockPrivilege	2956	WMIC.exe
Token: SeManageVolumePrivilege	2956	WMIC.exe
Token: 33	2956	WMIC.exe
Token: 34	2956	WMIC.exe
Token: 35	2956	WMIC.exe
Token: SeBackupPrivilege	2200	vssvc.exe
Token: SeRestorePrivilege	2200	vssvc.exe
Token: SeAuditPrivilege	2200	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1620 iexplore.exe
236 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1620 iexplore.exe
1620 iexplore.exe
2956 IEXPLORE.EXE
2956 IEXPLORE.EXE

pid	process
1620	iexplore.exe
236	DllHost.exe

pid	process
1620	iexplore.exe
1620	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_9213073f63c1542315acdad27c0b8b78.exelcwibkvsrmwn.exeiexplore.exe

description	pid	process	target process
PID 2532 wrote to memory of 2816	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	lcwibkvsrmwn.exe
PID 2532 wrote to memory of 2816	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	lcwibkvsrmwn.exe
PID 2532 wrote to memory of 2816	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	lcwibkvsrmwn.exe
PID 2532 wrote to memory of 2816	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	lcwibkvsrmwn.exe
PID 2532 wrote to memory of 2828	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	cmd.exe
PID 2532 wrote to memory of 2828	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	cmd.exe
PID 2532 wrote to memory of 2828	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	cmd.exe
PID 2532 wrote to memory of 2828	2532	VirusShare_9213073f63c1542315acdad27c0b8b78.exe	cmd.exe
PID 2816 wrote to memory of 2956	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2956	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2956	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2956	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 1992	2816	lcwibkvsrmwn.exe	NOTEPAD.EXE
PID 2816 wrote to memory of 1992	2816	lcwibkvsrmwn.exe	NOTEPAD.EXE
PID 2816 wrote to memory of 1992	2816	lcwibkvsrmwn.exe	NOTEPAD.EXE
PID 2816 wrote to memory of 1992	2816	lcwibkvsrmwn.exe	NOTEPAD.EXE
PID 2816 wrote to memory of 1620	2816	lcwibkvsrmwn.exe	iexplore.exe
PID 2816 wrote to memory of 1620	2816	lcwibkvsrmwn.exe	iexplore.exe
PID 2816 wrote to memory of 1620	2816	lcwibkvsrmwn.exe	iexplore.exe
PID 2816 wrote to memory of 1620	2816	lcwibkvsrmwn.exe	iexplore.exe
PID 1620 wrote to memory of 2956	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 2956	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 2956	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 2956	1620	iexplore.exe	IEXPLORE.EXE
PID 2816 wrote to memory of 2180	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2180	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2180	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 2180	2816	lcwibkvsrmwn.exe	WMIC.exe
PID 2816 wrote to memory of 1004	2816	lcwibkvsrmwn.exe	cmd.exe
PID 2816 wrote to memory of 1004	2816	lcwibkvsrmwn.exe	cmd.exe
PID 2816 wrote to memory of 1004	2816	lcwibkvsrmwn.exe	cmd.exe
PID 2816 wrote to memory of 1004	2816	lcwibkvsrmwn.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

lcwibkvsrmwn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lcwibkvsrmwn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lcwibkvsrmwn.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_9213073f63c1542315acdad27c0b8b78.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\lcwibkvsrmwn.exe
  C:\Windows\lcwibkvsrmwn.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2816
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1992
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2956
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LCWIBK~1.EXE
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ngmvt.html

Filesize
12KB

MD5
a805f5e95ca581cc0df45ab285b7f501

SHA1
8370a81b3e64b34a3f9e9a6bab2356b235bdbe53

SHA256
425380a15a9ca0119b9493e906fc524bb90e5d58a2194c5f0571a3c599d71df8

SHA512
3e6a54094391477121ed6d264ffbe94c3273d38788365a22083900d35a5eb429f13addfdcfaea76d1fe2445748f2de0bb78f4a0e4a05450345f7deda9da2a530

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ngmvt.png

Filesize
65KB

MD5
e4b2932976f320871e4d1d19470569f7

SHA1
efa84a17a2b9095cae8bc5e36a4179b49e6683e8

SHA256
4c7b38a688049912547b0421bfff2e18ac66d4d9a0f0347f1199a54f526e7546

SHA512
ce65ec68f091f13be5b18dc7954b521d2fa0ffac2c285afaad72985ebd7625827021dc739c1bdea350e9d071ec493bb107949e18c211680d00ac40832e4f705d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ngmvt.txt

Filesize
1KB

MD5
d45380918e785077534b3287abbd9789

SHA1
1f08bc1a667ce2b672d0303a4e440c622b95db8f

SHA256
c65ff41b627a222c10f01c4f74cfda6af04079873ac14aed1cfc6f520fa06f2c

SHA512
90a7c0f7fdff476829714ef5c4046658da6c8acdcf16c4c61941bdb3e00b1795caf419b08840b777eaf714df134107a55752548648b205f542f0af02491bd2ab

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0754a388ca67fff884cff511573b31bc

SHA1
1126a2664a9211c044525c23e1694d3ce701f056

SHA256
f06cef40fbb430ef690f462ca49e6a30f7c0fc5b91c6638fcfbd4b7759a25757

SHA512
385025d5dc0cd4f18fc004dcbaa11285e86cfb679f724da012276902e7f2f5219ad961df5681c8b32e16dced5685fccfb0c08e86f9254a51e29ebf86637cf88b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
63eb145cbfaccce6f84f0723f5bb0d91

SHA1
fe0d6c1e3d3702353ece52697eced4ebd2d1f04d

SHA256
973d4838b07969bc02fe0a550fba1712c07d5cc4b83af1d1fd2b8878d01caa54

SHA512
4442c608380228953074e25b07a8864bcf46210920714a0dabdaff8d5b103f2613bb67fcb833264a02bafeec6d0d9a33a7530b4be71a90b7c34ef7e8ea14535d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
7dbc24f67036fabdd55db74967c88958

SHA1
1172752ffaf46b4fd69789a5c299de458016d476

SHA256
e7d8c2ded3e74df20290f650e8aa9f077f0be37678ba3d0dca7fca9240bde6eb

SHA512
9d792af31fa124521eec2c42c8cb1f4d5f90d2e4ae372b99a6f2e72a2c9afbc8ee5a54ad3acb221cc6e8dcbfb16865fd486b54cace30ecde806970a075f05b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27540e80262fd03abc9d59211dadb316

SHA1
5972ad5c7ab925deaa8af2bbd0d215e0d57e3854

SHA256
36a7a7d39de2b00d233432b69f05bfb25fadb6001a79e12f221efe153901f332

SHA512
e325a9bc59f4e26204666f472f290a4c837829f8103aeb9788d9874e2a16a12c94ff2b575d30958773d2e3322a205593d063c6c8e8a7aea8da98e8e58da4758f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1c709175a4377a0d21ed96530a68043

SHA1
ad0d6a099b42caf05d96447d224c229195b0bf88

SHA256
edfc98c24c8b9e4791fa75bd2875489c15b0d3e4bcee429d296065adecec0970

SHA512
f0e90c2f896593476edd0d3c0b61168d61f3d6163f2d6155be9c6d4072b77a35f7fe41c1f39ae68f7846fc54a2fbbe6709fe45ea118d2241d3764a48a8a4e57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72f0dd240416d0e0e7bd8bac1b09eefc

SHA1
42348128711d57da5e8d07360ddf76c58c87d592

SHA256
e117a0560855ffe5f4d619a97a884049b2c51517a274895e712413f16730c57a

SHA512
2bcf58b7f9a0a69703da220fddb400c62de2051fe05e430da38edb398f72abc3dfee853b05c1c7d63bc5b8a6016037efb445fd5791144eeaeb2820b23595925c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
875dc7210114387220fb145813413952

SHA1
9d6c46310a3fc50babb224d2f0dbbc709ec6326b

SHA256
896e307f99870527ae377e2c8025e7ada5279167f91d24dc626989375318a23e

SHA512
026687a20f4309e5d56ebde574782cd054269136b3a1f00274852638d1def12300f51504e4cff9e518fd725322d9c19a1d96bf6d55288584b472ae2ca309ad6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e815adb2f933c095a36694b891b8f1d8

SHA1
4b5fc0457db78a61aec06eea4f868ca1ed5888eb

SHA256
a8fe125d483826bdf51707b6207bdde3c860451e529a32e68907fa15607c2b45

SHA512
d6d6b6bb731f82337a8511d8c9e8c1f4480c8f2acdc51eb6e2415e7120868617ffba96a3432ddf789b20cd4dfcf0f19613d73673e4cccc5f512d38e1cddd9a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aef4739a5985865db093302acf37e115

SHA1
d65d0498d025ba9791fb96b06d48c0a58801c54d

SHA256
2f14b35445d459851a8323abd8e473e69f7466c0d4d3e6cdfd8eaf38cd6b8671

SHA512
1d46119ab70dd269400149324f4127813ee686053ca122648f5d3e9a163de9548b3ea394e96e0279e5206894069e489227a6d3c0b1fd198b66d9324b4d0e6ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51a1ee98689117c8c255938163385093

SHA1
e08e30261c1667dd184b2f820eecdc2fc0574286

SHA256
b7c2f1fe55cbeb72218df24dc478c420b06834a4a92022aac411850b2482c8f1

SHA512
77ca665f024d75c504602ba418bbbd673fbc59d1ada14d08c7dfdad49e53b93fa2b9ed7945d984bd5f41823bfda2184d72041a3821761d0a30452e303f67775d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e194468b40c562cf1b77dec25ce7f18a

SHA1
a9c3da45aec3ac5f9f3029ea1a100056d6a90e9c

SHA256
e1ef5d42ce886f23a7fd14782a0986f9418d5aab4beddc428b8ab33af8c00bfa

SHA512
d074fcaa9bb81f3fd0ebb831487b9237039430dcf360b596074477e562a8f136ee6b2ad59d8291e45bc22e26912bc830b7c97ae1bc440d5881ee58a24e1a8ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
214f2da964111901b4cbf4942b7fe257

SHA1
a0b417460c91277a06f9f2e4aa86c02090ea2e4a

SHA256
fb25752b13880ab18edd957389681bb3d46bbd9d2e0752812741634eaafaf2c5

SHA512
6aefb63b2d21fefdafaae6191d0af770040d9ebd96e1e478c1f4824983e1147c23c6747e0f89ea0344722e439bf577ee20c189ac4bda8bb489f74d60acf72ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12b490d72e0fa21c752cd5512dcff479

SHA1
0929616a5196e3e9a2f446727f1db343442995fa

SHA256
3cf01a7cfae3943b34bb1069184050e9fddd68fd28d95fa4953773f7df08859f

SHA512
a4a4946d1bd6e1894a2ea5671a4270c4d3901e525461f96bbe500817e6e5321b774b31d80db0e6ff041e698da8fa7559165a0efd270863036668b6210d2d2a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12e29ad380731be3acae8f00a41a0258

SHA1
c34a83c61e19aaf444499f5bc79391f48e1e9396

SHA256
9dbc52ab5d4f7acd2a48c59e4f59f2cd00348dc0a3b70f914a0795885327e340

SHA512
7b6fc95af89bb97954e34805d74af6ccb1c10847097d0e0bd0b7687c4e120975cc8a2dcc1d975925de3714d7285131162ead80658649b97f5e9eef4bad3f423e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e23b46712447e703191aa4e597e38aaf

SHA1
7cf18bccae5eb602e2bceba05e279bbd0630ded7

SHA256
63e5532da7d801376b6278f0aa1c057c4374880e37daad5894224479da5b2979

SHA512
68071954c72f864fac362a36ce4ee651204ed37eb33fba85849da2aa6ab3ab4b432a6d53bd0f95605b5ba25ee6a796231c5e717d58aa1b6a9cb2ddffe712c4a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca46cbb0242ea58fb2de76911499bf44

SHA1
9f705636aeb1153a91536e20f836f225f6326d40

SHA256
de6785ac7a9d63d443108bb56175490d7f197ef12ecf4ff059737288c6e4b0a1

SHA512
4d9b1f2dda2eb6029ef2ad23671eb7a5eb44292b236b074e4b2bef81fbf5bf08f76732902def89e979dcc0c2e71d10ff04d8a0632124b2a24b5538df5e277639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66aa53bc299466bf012bf7ffa543bf1f

SHA1
11f3385b5dd76e078bdd3812b458be533fbf2c7a

SHA256
b73d9c6cf5c87734f3711ec7f5fe7b00f4fd1e1d958fe51185c1057b192a0414

SHA512
207d3d4f45f81c46b90919702cedaf711cef5081144859292f98493f2cdbb1aff62834afddf180062126a26864107bcf3b88c44c594a8637257dd5ed02d14096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00e8c8c38c529621e9d20ea8249dd024

SHA1
6c8957bf18384d4907148affb8d15f2b06fcc02e

SHA256
9a6935ee7a2c712ddbf09e42b30ce014b8e7c01dc8027b53eb35fd755f656131

SHA512
e968233713ac6b0931e230fb4afbc112b3e7beb99b156d1afc713d5a96e0f7ef548c7483b92d3e5a975a8df652c679af51701d1497977b6afac5164700b1493e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed818fc48c049e8e5e9fea9e690f58ee

SHA1
7d0c8ac8da64e3975b00a9d8f0048d83d13b6392

SHA256
22fef943d0751c6b97c19b1ced34f2ea2478d95db9d14141970beef03034ff29

SHA512
2a5416d18ec5e660d6e58b08f34e6a5dd67bae15ee7e838745cdbf946a0d45ca32733376463b9d42bce706384540eef701ea36c98af4fbf5b8fb4d8290a33727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64df10989ab52477a89e8f5f2cd74727

SHA1
469f3af850de3dd5e61ab64dd3b473b07af6d114

SHA256
5f1a1004a710fb38f43bf0484924d925bd9fb64bc5a38ac92aaa9d68a5623ec9

SHA512
83fe1af6ed4e5615e4b7798ee4a3c05d6bb39b8b6a0a76c1a5f7935947ea0909297f81ca81956841af8a68221bd7c2a90521b666aa29bf627a79c193749824ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2a519fecc99b26a33068f56a384b57e

SHA1
2585267012834c1d21cf7c722ef4efb0491cafe7

SHA256
3240170a493063a9a6510d8aa84ed6a397aa94b2fd527c1c5ee25a4a0ea53396

SHA512
acdb6585018f67d6af58cb1f46bf91146ec291025e764eb28153a357fb6bc6283df9c0d112f61789a4c6d45b60e7beacad7b781211c9064ba5d74fc50608abb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1797d62f61f92229a99b34c06bd6d07b

SHA1
8ab07aacff61db321eb5ffaad3546e5f81040f6c

SHA256
a45797a719602baf97898d77f38c99e1877c113a1ea7b74faf3829e084c433c3

SHA512
0010a2cf5ee10fd6e4632bb116a124911fdd5b476066da159b697199bb990f0b16423429ed3a696575370186373e03d7646313ef3575fed45023863814c32587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb8e3c4907877d6bcc6aedf926b52472

SHA1
922a4a262d92879d108bb49e40201af6a0cffab0

SHA256
80ae74ec74ebca3e83e35c20bcb844f9ac71a0a631e8511b2f24f1d5292c0a16

SHA512
707ad474ec6ce7f71b31ff245df48bb2cf6cfb8b283c2e9d41229a791459223524aaf0a8ffb747b2ef3c0560a66d8b535948d1676f03a90b49e8dc9eba9fd41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2934.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2957.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\lcwibkvsrmwn.exe

Filesize
360KB

MD5
9213073f63c1542315acdad27c0b8b78

SHA1
77b5765cd37ccfb7608611291d66e68b7d68e2dc

SHA256
1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad

SHA512
9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735

Download Submit
memory/236-6039-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/236-6038-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/236-6544-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-0-0x00000000004A0000-0x0000000000526000-memory.dmp

Filesize
536KB

Download
memory/2532-14-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-16-0x00000000004A0000-0x0000000000526000-memory.dmp

Filesize
536KB

Download
memory/2816-6037-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

Filesize
8KB

Download
memory/2816-1781-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2816-4069-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2816-4581-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/2816-15-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/2816-6031-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2816-6105-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download