teslacrypt | e2d9ec16ddadd92cac691a18a686003a703b77ef1b1cb7a7847f1aab6880bd6a

Analysis

max time kernel
136s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe
Size

325KB
MD5

dc13e7d8c12a96c44d138bc2e3b08cc5
SHA1

29dd6a30dfea183e0fffeb31ddf1389437364a4e
SHA256

e2d9ec16ddadd92cac691a18a686003a703b77ef1b1cb7a7847f1aab6880bd6a
SHA512

17fa6571bb0c60735b824b80c6b271800c4b6278b552901effb8fa3c9fe7ef00e5413d6a5dbfa079c94c671ab1079e94ecfbf1deebba0753b26fa07fc6e1a29d
SSDEEP

6144:J03tj8he5ffi+0kAGlmECjPwiM7R5imi7Tunv+9g1:J0djJfi9GUPq7/iU8g1

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cmnvd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/AD12DCB213A82494 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/AD12DCB213A82494 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/AD12DCB213A82494 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/AD12DCB213A82494 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/AD12DCB213A82494 http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/AD12DCB213A82494 http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/AD12DCB213A82494 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/AD12DCB213A82494

URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/AD12DCB213A82494

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/AD12DCB213A82494

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/AD12DCB213A82494

http://xlowfznrg4wf7dli.ONION/AD12DCB213A82494

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (385) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2188 cmd.exe

pid	process
2188	cmd.exe

Drops startup file 3 IoCs

Processes:

teiqxggvcfpr.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe

Executes dropped EXE 1 IoCs

Processes:

teiqxggvcfpr.exe

pid process

1888 teiqxggvcfpr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

teiqxggvcfpr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmijcbj = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\teiqxggvcfpr.exe"	teiqxggvcfpr.exe

Drops file in Program Files directory 64 IoCs

Processes:

teiqxggvcfpr.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Media Player\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Common Files\System\ado\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_ReCoVeRy_+cmnvd.txt	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_ReCoVeRy_+cmnvd.png	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_ReCoVeRy_+cmnvd.html	teiqxggvcfpr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	teiqxggvcfpr.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe

description	ioc	process
File created	C:\Windows\teiqxggvcfpr.exe	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe
File opened for modification	C:\Windows\teiqxggvcfpr.exe	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A056F241-C534-11EE-B377-EEC5CD00071E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e91786640000000002000000000010660000000100002000000088b2cb69364d4075f58ca86be8a07a26bd88a1149cbc2eb168b906bc1518a889000000000e80000000020000200000001a40ac6882fcef890c55d89a98b89d95b19f17244c2bf79c3c8c59ce351652b3200000005146cfdc710a64329f9590d3a14dd4ae5cea70d31e3c43c4d8242e83c6fd28614000000056b897add70e6b76e345fac460366bf29f1a1b6529b33171ded4fa727ab0f23118bf7dd297b065270b198dda21531a394026d521735e853403a5dddab3f286fb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04f2b754159da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413415900"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000f042984de0d43e887a1808519c89023622c837b93a60dde162a363b5683dd254000000000e8000000002000020000000a8c14b5de91efbb62d4bc8c1838694f0383630ce4d73a8d4e19d2554048bb569900000009314ef997509868ed1c17f41bea5bfd251a90477904a66c7ab35d0d2dbafdc990adf9f77748fc109a054436c685d4accf870931d0a57f5a528fd9ab08ccc42edc4f99ce00b9783c78522443f43f0fb523aef4cfc107717a8fa59df9102fc18576f73f007f4bf39ecac87385aa4be4acda60b110b04a7efe6918bbe529eeadd1db9aa1b37ec7d1528b1648cb22e3a474340000000d0e621d2a027b1ae0acd25f426f32c528d3d8c10b87eec10bc6973b33613ac38dd54c39b906b853c54592a1090986af78b268e61c17cefb78d622591898d83fc	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2744 NOTEPAD.EXE

pid	process
2744	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

teiqxggvcfpr.exe

pid	process
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe
1888	teiqxggvcfpr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exeteiqxggvcfpr.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe
Token: SeDebugPrivilege	1888	teiqxggvcfpr.exe
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: SeBackupPrivilege	1992	vssvc.exe
Token: SeRestorePrivilege	1992	vssvc.exe
Token: SeAuditPrivilege	1992	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemProfilePrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeProfSingleProcessPrivilege	1320	WMIC.exe
Token: SeIncBasePriorityPrivilege	1320	WMIC.exe
Token: SeCreatePagefilePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeDebugPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeRemoteShutdownPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: 33	1320	WMIC.exe
Token: 34	1320	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1512 iexplore.exe
1520 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1512 iexplore.exe
1512 iexplore.exe
1396 IEXPLORE.EXE
1396 IEXPLORE.EXE

pid	process
1512	iexplore.exe
1520	DllHost.exe

pid	process
1512	iexplore.exe
1512	iexplore.exe
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exeteiqxggvcfpr.exeiexplore.exe

description	pid	process	target process
PID 2960 wrote to memory of 1888	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	teiqxggvcfpr.exe
PID 2960 wrote to memory of 1888	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	teiqxggvcfpr.exe
PID 2960 wrote to memory of 1888	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	teiqxggvcfpr.exe
PID 2960 wrote to memory of 1888	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	teiqxggvcfpr.exe
PID 2960 wrote to memory of 2188	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	cmd.exe
PID 2960 wrote to memory of 2188	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	cmd.exe
PID 2960 wrote to memory of 2188	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	cmd.exe
PID 2960 wrote to memory of 2188	2960	VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe	cmd.exe
PID 1888 wrote to memory of 2540	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 2540	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 2540	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 2540	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 2744	1888	teiqxggvcfpr.exe	NOTEPAD.EXE
PID 1888 wrote to memory of 2744	1888	teiqxggvcfpr.exe	NOTEPAD.EXE
PID 1888 wrote to memory of 2744	1888	teiqxggvcfpr.exe	NOTEPAD.EXE
PID 1888 wrote to memory of 2744	1888	teiqxggvcfpr.exe	NOTEPAD.EXE
PID 1888 wrote to memory of 1512	1888	teiqxggvcfpr.exe	iexplore.exe
PID 1888 wrote to memory of 1512	1888	teiqxggvcfpr.exe	iexplore.exe
PID 1888 wrote to memory of 1512	1888	teiqxggvcfpr.exe	iexplore.exe
PID 1888 wrote to memory of 1512	1888	teiqxggvcfpr.exe	iexplore.exe
PID 1512 wrote to memory of 1396	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1396	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1396	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1396	1512	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1320	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 1320	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 1320	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 1320	1888	teiqxggvcfpr.exe	WMIC.exe
PID 1888 wrote to memory of 2068	1888	teiqxggvcfpr.exe	cmd.exe
PID 1888 wrote to memory of 2068	1888	teiqxggvcfpr.exe	cmd.exe
PID 1888 wrote to memory of 2068	1888	teiqxggvcfpr.exe	cmd.exe
PID 1888 wrote to memory of 2068	1888	teiqxggvcfpr.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

teiqxggvcfpr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	teiqxggvcfpr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	teiqxggvcfpr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_dc13e7d8c12a96c44d138bc2e3b08cc5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\teiqxggvcfpr.exe
  C:\Windows\teiqxggvcfpr.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1888
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2744
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1396
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TEIQXG~1.EXE
    3⤵
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cmnvd.html

Filesize
11KB

MD5
4cbd5184b9e2da310b7c1a5c8e0c2896

SHA1
80a81009dd6c28d8aa7a8dce6be964bd1afc83e6

SHA256
5fa8c697d7cdad9bf95b949941eea44b83f4b1773d48cead0b50d64e245a1f3c

SHA512
60f91c3df286504e4b7f2810ae67d280311f80e501b2fd3fbff4f33b8594a8caf672a28b0232d14665b68cdd150c92d1fecd87e05f3394b0cd47685745c35672

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cmnvd.png

Filesize
65KB

MD5
21ad604b892522406ef5842027abf419

SHA1
29505b33e4bdb2e2c9021c1e7552dcc9e35dff94

SHA256
e1cce07d0bac00928081e5bb4010d3ed53a64a3f62b6648ee214810ee12a6e0b

SHA512
46806afcdbf922ca9a30b812803f4149370b7f3da6a4751a0e8786e22542bd7ce2cac072f47281c03861b8ed8aa6c658238679e2c4a96f97ad06ac94662cd4e2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cmnvd.txt

Filesize
1KB

MD5
77f5aeda2faef442da3ba0cba7b6b54d

SHA1
8c0fe958c68149b58cb9d039b02124fbf14656af

SHA256
c45b1f7d7c5bfeb026fe77f16f94b32a7649aa4cedf98a65592da605bbc8a714

SHA512
a2882cc4c143d7a2593971cbb70d8f420b3bbf96fd4bbcb730193d8aba8242f2bdf87e725a8deaa6bb084ea2a1a4f268c66c76d446c73f2289881c0b7e4ad262

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
d555e7ff623fdeb2456794d9f1a94001

SHA1
6eb36b6ba8baabe47b912e80e5f7d420d14349c1

SHA256
6d4ae8fe23b2bba94a177de811852e32c15472db89b7fc88df407e398c6674a0

SHA512
c8252efe57c7d6177dabfe6ba56177a15567daf1c2bac976c8771ce1457a4fcd11dd6a07ce59d38057b5aa5bc770716771b200f28dae7f5f3fa8e97831ab9ca1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c0d940c4193542d5a7d0df28b88f7677

SHA1
ea4e0a04e98229e7c7995018ced44d5445b05503

SHA256
827e87fde8c71192617f5a54540d92a39240cb37359dbef6ecfa349e40a7e5d5

SHA512
2164faa033485f6426f830cbaf4a346519d5ef19498ed9d7ac082856b55bc520dd6320ca21a2811ebda7940ea7b0868bcdf3d2ac18a477048361d6230b66f964

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
8cea31ce70c8c813d061a268b3e4201d

SHA1
6bafd1830c3b08a4fc23632cd1f721bfd55ec784

SHA256
731dc25a033ed23d01318128a172bc53b31cfdc448498d1f0f312e7ff898318a

SHA512
b28023419932c8272b77ea2d3ab35e446973fe20ae3a4eec07ec7b755109b5e8766bdfd9afb731bf364e0e79816010b3fbc12464d57f139f053fe82072d47cf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43f2407fcc9d8c69c11b00066d83d5c5

SHA1
c01fe58c6524d81843b4b372dfcfb442c5b67b42

SHA256
4d5468450b6ff23bdc092ae783acdb9f529074454ea27937b4889e6f225d5603

SHA512
4c59aa3a1b3649ad24a3e7bb4f9ac7ac7590eada9b229a92c57ecede474f4cc46b81942bbdb9060793ffcfd7b1791899729fbafd81dca4dcf8284e4bc6c733c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec6a267005386ad2be7c16729fe8dcd8

SHA1
0913ea54a2795e13af4eff5567b46fdc8199d714

SHA256
45436321691fd4c446150ab39266ab9c4e2087580c7362c08f25e7a021123696

SHA512
113a1a94ac5d982f05a7c36df3f6fe75fe8c1fb07e14058b42036ea9d0cf7c4a6be8abfc41ea1dd8a96445e566fdb3fce4f66710cf4f3d7b83472315e06dc5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd6df5dd5c38405b4db31582336dc4d8

SHA1
13ee03f18d684286d7ca31f30b98a0a56506a49b

SHA256
c78e59dc315ac26da465ad05cfb98d53ebef90bb43baecb20b6f2aeaa30e3be1

SHA512
85cce841148892236d4de7dc85efce44ee291abbac8964d15149b4beb8a867bbf9c0118ffdc5d2001d01ed10f15863d91347833d049148d06ece87eff3b3967e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d81f596c1df3f4aeee58cfe8087732b9

SHA1
ce9e687450b3a8bb297db966a72d49b61bf43734

SHA256
785166732a680792384ceecf3667fa3f1bb7806e5ebf4da3a32675d00f7a4af4

SHA512
e1d3d2352992d18adfce0889e310f6fb6d6db483b372e972f75365db5b882ade6c82c893b78004caf3364ec2dfb8871e0abfc06b0a42f9b1fa30d89ad6f9d57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3b66d64883567ccab7f1271f2a68633

SHA1
8f41e9f9a263ef85c655217a5af2984fd748a028

SHA256
f0c162edada213edc8667814960cad3bbddaa5e3cd664976dfd3a35a176fb1e9

SHA512
8895b7aad4280d9df0b1ec91bb28f8b35aeb662a9882ac1b3084af776186395bf67f0516f9df3f5d1363743baaf62c2d2a2c234d518ab3971d48cc7e36b10863

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7860b4d8802f5319e7b35e2c455afc9

SHA1
f6308458f081e5899cc6cc691c891c024a484f24

SHA256
899c4c87f1a640a3df4ed561c3ba78a7b96f65193810f82cf1623c33241aac2d

SHA512
d59ac991f7fb26bc4a91660d35fd8bd902663ecbae0aaaff458cf6c7fdefa5dc67e2973df381813dbbef98238e1ea03deb715809395914a38cfa8f99a4608828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84f1976be54ef40a97180726fb042946

SHA1
a19a73ea41f93caa4d7a966d860517ada2a596a7

SHA256
87343a9c6803861ff173ba1b55eca220c4a2707a30cf2af26a3621e296b05500

SHA512
e990148132daeb88b41631a0f468095b2a4a7d4ac2f1df518d92bc444d95331f989a0edc5993cbaca1d9feba0be270570ec1bdf748a3f66061f021d97b5589b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2554d0ec9457ea67edfcd5ddf2c040da

SHA1
c2de50da5ed3a4a0c16439f3071e550a3c87033a

SHA256
e4fceeeb60e6585a60100a8969027e714f279211a2ffe14e748c28fcf3043f2b

SHA512
49af1f30c8bb83ff9afaffe67d9cdedf2a9ef04065be52889f1450833f65eb14f40f33aa14d843df8116fe3bbbcb977cee777d0487088dae78f032d531f7987c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
185f212c9fdd0b3911581e07b82be41c

SHA1
62b9d896dfc2cdb51ccc11b0d4f2cdb3379718a2

SHA256
df1cc9b4d523f54542ebc5cecbf4b0e9781b595e75b9ec52efd836d4cb9dabea

SHA512
9dd3d55e86ee86f373e26573088c3f0873742acbc47a2ed2207ae799a798237748b69cd10fe1e59b8f494c8f31ed3c2ddfc87c590fce909161e63c652be15797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eaed0549b052eebe7680d6aaed2adf7

SHA1
e5bcffc4d87569b3bddbcc6912a0603b93b44256

SHA256
00dea64caeb46e82f590fdf710d7ffe0192d77ded389a51f56a6e608767f029e

SHA512
367b97d8ef1deda87f198cc1ae0bc9300610a426bd80623b743597dcfddd6c01daa74238399706c76660731dc8293242c31c945c7a82ee9cd0b031fba0cf1b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94592ba1ae4d7178d0a9a2ac70b2200d

SHA1
e22c76a98df53e28cfb0d4fde863eb16cfd77761

SHA256
e23a7a126e53cbc837b0004df25ba3327c971c879f678690b296864a256ad800

SHA512
380df7bf2eef5516edf061b556a5bdd0a23195fe010939b2095b6a614d68108576e82be6fcbc30b905d3a839059fffd28a70a151f8fc41fa2475b4931cc752a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5387e9e19337b9bd1eb8580cd30ecf20

SHA1
c583ee46ad979b90a61ac3dd8113c42aefff4290

SHA256
ba322c4b68e94926e550cf4355c3b91e45a4bf65ed32288b8c98c30bb32c125e

SHA512
0c69cb31d7c80fc73458874da1363d687971ab7d70c14970618826a69b13961e4a2afe79693fc8fbb2bb4fffbdb18b5e0688dae86fa47d3303b9d6346708d71f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2813966303d3783cfcf0a6d43764f01

SHA1
06b903267ac7079e082672ea5df73dfa6af2edd4

SHA256
a99f94b83747a877e48c842066baf619c365412effc733370363f25578c249f8

SHA512
e29317139d7cc971ae0650c6bfa7c32b222d0c43c3250824e226d979b2f7b829a563f861ca947a97176b73b2e1254418f99bf995f91b86daf415064561d5f1cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdf54b74a05122f72e8503cefe89ca05

SHA1
6fa530b52e47bc654b0114eefbc67b34b421a83c

SHA256
978a225b2471f59130541e4f028e275f08a6355c21b69d3e4e85dcaff75d20df

SHA512
46d93617f93a3fbc6055fc0985adc7411bab4f559f2cd668ca3fb8d8cd770c4eeac70846a44ad94fe7898c2e1f89ead64c66457fce51d4cb1af77cd738f50f93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7a381c83fa8e4b47f268b2cee878e7f

SHA1
3eb6df99e0eafccfad892107cc7ae027a8e20ea4

SHA256
6e4cc8b2bd88db2cc8b26012ac205e8454942c9b5dca6e01c68d577d4811d010

SHA512
cd7ab20abe5883f6e36106b41ca0ebb3878fbde54687275ca2dacd786f4afadae386c941daca0ebc5113b17f5dc812cd5436d7de1a3477073b7d2a40261bb2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b36ecaf535b3d36ab8e54ca32fa543b

SHA1
0ba6ee039f6d0abc27f75590188fb69d8a0a14be

SHA256
f7117559bf4fff57a1abdac36b79c67acb698a3ece23bc80f842039c6aba9726

SHA512
a6537c09775fc92362f4495d946cadff675e5ed8fa1b65ff6d736c302bcdadf4928a486fc042a51e90f5dd34a46d07fc10d007910d4f1f26a2551848ab2d5ed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8a182378f7785fa10e57ca3a097112a

SHA1
ca571b809a6c656a5021d262faf543149e742396

SHA256
0f99df31d4099aed16e256cce3d30183419fac0aa0701f604490ff293848f874

SHA512
77e2584b6e3cf4c9154e8ae4f2307625a8c7c4114fc0b5d6cf39477822a4c4ed3866dc4145e2d786c627e88b459c1294f014a7de560f32e7558e15d9ca1e3085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10bb9b4d281dcff042db3bc2d2ca4e6c

SHA1
6f97cc7575e08772341bd151b3748fd74287dd39

SHA256
92fbcfb27602380153ef0a7427ddbb7162b881d79391d0d58c57733115a0cbc0

SHA512
dd9e35e99aa1cb1b1bee9dd087fc97617fde28f416b01d0528f07fbba3b1a2ac3d3ae72db5db7fc911a3926cca79addfbd34c63edb33965c21c305990b737a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d815a28bed52768cb3331778336adea7

SHA1
890a9de0666bcb626f0230e0d10266ef73a7cf04

SHA256
066af059509c4e9d89159e55920693c50ff365ff2bf38cf5e3bdb92a100ef86a

SHA512
da7651f02d9dd69317d0d0eb836135992e002bbaaddfb423c9e75272cb1d3220c7edcf7bfebf2edbec897504be850fc8d23825526d357b294960fb274de5e9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66A0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6761.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\teiqxggvcfpr.exe

Filesize
325KB

MD5
dc13e7d8c12a96c44d138bc2e3b08cc5

SHA1
29dd6a30dfea183e0fffeb31ddf1389437364a4e

SHA256
e2d9ec16ddadd92cac691a18a686003a703b77ef1b1cb7a7847f1aab6880bd6a

SHA512
17fa6571bb0c60735b824b80c6b271800c4b6278b552901effb8fa3c9fe7ef00e5413d6a5dbfa079c94c671ab1079e94ecfbf1deebba0753b26fa07fc6e1a29d

Download Submit
memory/1520-6220-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1520-5777-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1520-5776-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1888-4605-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-8-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-6219-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-6056-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-5775-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/1888-3170-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-2015-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-981-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-620-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1888-5730-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2960-9-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2960-0-0x0000000000330000-0x000000000035F000-memory.dmp

Filesize
188KB

Download
memory/2960-2-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2960-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download