teslacrypt | 569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be

Analysis

max time kernel
124s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
Size

384KB
MD5

58318b59b9d87cadcc48fee7e58614f2
SHA1

869a4893f9e7776af555055000aa44d3f9dd3f70
SHA256

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be
SHA512

d0b4799619766cb8997245d72ab0d014bc5de742757cd0d55343c8f5822499b006fc88f213b5ad7f72f873f6ba533eea5ca50b5be67f72839a093cadd0cd27ab
SSDEEP

6144:mMfrtVY40toxxNoPawoJX0RwPRuWp2rzL04lBqiQIxMTuuNAvwuE:mMfrg4OoxwPW0mpuWp2rzdKlIxMTumAq

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+sqird.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/68228442E76794 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/68228442E76794 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/68228442E76794 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/68228442E76794 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/68228442E76794 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/68228442E76794 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/68228442E76794 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/68228442E76794

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/68228442E76794

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/68228442E76794

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/68228442E76794

http://xlowfznrg4wf7dli.ONION/68228442E76794

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (408) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe

pid	process
2836	cmd.exe

Drops startup file 3 IoCs

Processes:

lrrcnmoehjjy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe

Executes dropped EXE 1 IoCs

Processes:

lrrcnmoehjjy.exe

pid process

2916 lrrcnmoehjjy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lrrcnmoehjjy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\oentdblyqdng = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\lrrcnmoehjjy.exe\""	lrrcnmoehjjy.exe

Drops file in Program Files directory 64 IoCs

Processes:

lrrcnmoehjjy.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_RECoVERY_+sqird.html	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_RECoVERY_+sqird.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_RECoVERY_+sqird.txt	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	lrrcnmoehjjy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	lrrcnmoehjjy.exe

Drops file in Windows directory 2 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe

description	ioc	process
File created	C:\Windows\lrrcnmoehjjy.exe	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
File opened for modification	C:\Windows\lrrcnmoehjjy.exe	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420137353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3477F331-0256-11EF-8A74-66F723737CE2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000875c78fcd901b349982534433054342000000000020000000000106600000001000020000000fbb2cc7f2b54e0895cac3689bfee0f7c3992aebb5cb74d000a574517a85ddc4c000000000e8000000002000020000000b8101d788e952a772fa2635d1dbbb98ff391a09edea413603b88b53266c97b65200000006e1f3b55eb621e7492972ece6683d0f4eb52104c4f7a015c32984f79b3a4482640000000f4ff3e6129c637cdead5b842984261f23bd55b45445244138a324e78774cbc5777aca08578f41e88b6ccd996b15247a4f33ceb6926fb34f4a674a183b9aa3e83	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fde5086396da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000875c78fcd901b3499825344330543420000000000200000000001066000000010000200000002f2b088c43988e0afb1394fe5b6f161d59a5da34faa8e8dfe80a2a9422bea7fa000000000e800000000200002000000044cb02202f05fd74a9002357655e7f9faa3893890ac38447a1b887becf16f5a2900000008b3b6c176111c253f374bc21d253b7a7f8979964bba24fc801432d97a8c6a47376ca4c870a838e07b3dec71df877154ad2baeb81df821062e69dbf54791f6ee2f60c01ed87502e62cbc95e267689b50db12de402e3b26c583cfd39750e7678bb8b3975e7dedadf023bbc8b03669d336a8ff42b4cd0152af5ba03e6e42929ce30a45a85140f9cecee000095ffeae35cbf40000000c451987e7cefdc34b6a46efde3fe7d701f4700e4c5126c8f4e26040f5f526eac3bca0930c9e9a4b6b32a99976b4b21be630b456fce3636014c71272413784643	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1608 NOTEPAD.EXE

pid	process
1608	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lrrcnmoehjjy.exe

pid	process
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe
2916	lrrcnmoehjjy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exelrrcnmoehjjy.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
Token: SeDebugPrivilege	2916	lrrcnmoehjjy.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

3056 iexplore.exe
2540 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3056 iexplore.exe
3056 iexplore.exe
1964 IEXPLORE.EXE
1964 IEXPLORE.EXE

pid	process
3056	iexplore.exe
2540	DllHost.exe

pid	process
3056	iexplore.exe
3056	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exelrrcnmoehjjy.exeiexplore.exe

description	pid	process	target process
PID 1960 wrote to memory of 2916	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	lrrcnmoehjjy.exe
PID 1960 wrote to memory of 2916	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	lrrcnmoehjjy.exe
PID 1960 wrote to memory of 2916	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	lrrcnmoehjjy.exe
PID 1960 wrote to memory of 2916	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	lrrcnmoehjjy.exe
PID 1960 wrote to memory of 2836	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 1960 wrote to memory of 2836	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 1960 wrote to memory of 2836	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 1960 wrote to memory of 2836	1960	569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe	cmd.exe
PID 2916 wrote to memory of 2604	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2604	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2604	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2604	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 1608	2916	lrrcnmoehjjy.exe	NOTEPAD.EXE
PID 2916 wrote to memory of 1608	2916	lrrcnmoehjjy.exe	NOTEPAD.EXE
PID 2916 wrote to memory of 1608	2916	lrrcnmoehjjy.exe	NOTEPAD.EXE
PID 2916 wrote to memory of 1608	2916	lrrcnmoehjjy.exe	NOTEPAD.EXE
PID 2916 wrote to memory of 3056	2916	lrrcnmoehjjy.exe	iexplore.exe
PID 2916 wrote to memory of 3056	2916	lrrcnmoehjjy.exe	iexplore.exe
PID 2916 wrote to memory of 3056	2916	lrrcnmoehjjy.exe	iexplore.exe
PID 2916 wrote to memory of 3056	2916	lrrcnmoehjjy.exe	iexplore.exe
PID 3056 wrote to memory of 1964	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1964	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1964	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1964	3056	iexplore.exe	IEXPLORE.EXE
PID 2916 wrote to memory of 2020	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2020	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2020	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 2020	2916	lrrcnmoehjjy.exe	WMIC.exe
PID 2916 wrote to memory of 1108	2916	lrrcnmoehjjy.exe	cmd.exe
PID 2916 wrote to memory of 1108	2916	lrrcnmoehjjy.exe	cmd.exe
PID 2916 wrote to memory of 1108	2916	lrrcnmoehjjy.exe	cmd.exe
PID 2916 wrote to memory of 1108	2916	lrrcnmoehjjy.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

lrrcnmoehjjy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lrrcnmoehjjy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lrrcnmoehjjy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe
"C:\Users\Admin\AppData\Local\Temp\569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\lrrcnmoehjjy.exe
  C:\Windows\lrrcnmoehjjy.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2916
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1608
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1964
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LRRCNM~1.EXE
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\569301~1.EXE
  2⤵
  - Deletes itself
  PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+sqird.html

Filesize
9KB

MD5
41c739ce51eff33454b0abdef1e66b09

SHA1
ebeda1409d9259b685000b00d6868cf3df1a5aa3

SHA256
9f9a114bee2088af5d5bee88ce3b6123bf78080921b0199ebbdaa3215fd96174

SHA512
48b4f73a5e3756ded7a2ba5bf7bfe5cb87b536eef09701b6671e13e17668796d906fe609daaa15f168f42dbecd6a036a3753a27d6aa9b46d7d101e9dab2ee9d7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+sqird.png

Filesize
62KB

MD5
c26c5ecec718d7b32e1cfea05471d7bb

SHA1
46265d31bffbcaf029d34830efe2077811310f74

SHA256
d65365b9a4313103f8ac77d83f2ebec03de40a77441c90cd2b390bd71df2edba

SHA512
9895421ff601245d759c502b5607d050c8c4209cb5da5de5650112ff0981d72f8600e13a6fe257bcec014cbff04b0b85e1d0f3e1374658f0a110b32752bdff05

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+sqird.txt

Filesize
1KB

MD5
46f498864560242a8a555677078878fc

SHA1
4cf28920387bb9c10527714dffbb6ef8e256c3b1

SHA256
c411e1a9378da0cb7e6c5d5f3fa6813e0bde5ae043bb5d034809e00866f35a6d

SHA512
266c451763ce0861b0b94b00c904216284d1075d415d7cdeff6afc1777859c1505f2be6f47a4ab54e21470d39997c1028efc76dfc0b930a1404360a57739267f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
9664218e48a88b7f95bda301f7559aa9

SHA1
bf91fd928847e8f28d811ae61a8f5fa3a31c5b43

SHA256
9da47343660c9f11af719c4cb81df89de24adc65ec563825aed6a7382cb197e9

SHA512
256c834a4e24ca109a51fdb8cc3218512c38e9441484825bd89197a7aff05b617d1a27890bf7aa748684f3cb93100d36be7188036e7c8a62a1ed9adf2668255a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3bc29b57b8f89624899ba2ebd864de65

SHA1
77562b8c0aaff11d8f73c4eb030eb0252972306d

SHA256
70673d98ba89756116dcefdc324bfe50fbbd33893624972c20278901e2c8d544

SHA512
b9cecc02ee75c676d74df7691ed35e9609a1ffa5d6843c3f4b0455a2632f373ef60a4284c1bb808d009f4f89a0c978369ec5ce466a6029a49a9a965a31c34fac

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
91bede23ac3d6cc63c37015d7477925a

SHA1
0011065b2fdb3783acbc168c28e69b3839c8288d

SHA256
e9a0c98721d24c1f0fb6fd5241865f1efacce06d74b33d4f3c9c70678ffe4bd0

SHA512
3e6e16108f637cd30491c9729ffc829485c62e3ae0c721511b627f2185a27e3232726f761bbd826441fd049cea3a92504a8f9e695e4e5188b2843f1228bd64e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e18082b859adf69436620ae794849c8e

SHA1
17c5956b9b26f64c803b26aac2a0e3997a8f28c1

SHA256
a0fe31da747703c08847426a19c27256e3f767744e1e53d20da94c836135d375

SHA512
3d8bed0ffdcaa6d6df6a9aec9e21ef140e6d2410e6bc3590eed9f382fcc80421223ffe16758c2ca6d8c8a962bbf56701c2f35a2eacc067deb437267ffe5b9f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9d3dc9e97511aa0155809de5c91f6c0d

SHA1
1df6f1626a231900bfd4bf702a10f66352b87981

SHA256
b578342c0f39cb0796e00c7ef6cb7c5418aff18c711c124e7680b9009fa2ed72

SHA512
25f0e2fa3970c3596f9b5ea7691c961fa51690c323d61684bfdfedcd36dbff4754d0da982341c27707940064f19b9425adec5965cc2b55a9deb9120bcb728af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4c9477cccfe2e13676100558d3c60280

SHA1
195a9d54746d552c5022cfe586c14c5af942cf32

SHA256
432ab3d18518aa4378a947688a79c5614b32b8e22ee9c3bd000164f0d6f51556

SHA512
7f331e4bc9ec040ac070a8772f141fe8b3f3f0305c0f0ed86bff008c50ba4cc46e7a683fe099fb8cbc7b7dc081bf682e6d76f18cd417d8b6f579c39bc79ad80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7FB1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\lrrcnmoehjjy.exe

Filesize
384KB

MD5
58318b59b9d87cadcc48fee7e58614f2

SHA1
869a4893f9e7776af555055000aa44d3f9dd3f70

SHA256
569301af9040de9cdd78acead87de0da760fdc1bf9a6d4ba17675b4e658d74be

SHA512
d0b4799619766cb8997245d72ab0d014bc5de742757cd0d55343c8f5822499b006fc88f213b5ad7f72f873f6ba533eea5ca50b5be67f72839a093cadd0cd27ab

Download Submit
memory/1960-17-0x0000000000350000-0x00000000003D6000-memory.dmp

Filesize
536KB

Download
memory/1960-12-0x0000000002A30000-0x0000000002AD5000-memory.dmp

Filesize
660KB

Download
memory/1960-2-0x0000000000350000-0x00000000003D6000-memory.dmp

Filesize
536KB

Download
memory/1960-1-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1960-16-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1960-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2540-5923-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2540-6514-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2540-5925-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2916-13-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-15-0x0000000001D60000-0x0000000001DE6000-memory.dmp

Filesize
536KB

Download
memory/2916-5922-0x0000000003700000-0x0000000003702000-memory.dmp

Filesize
8KB

Download
memory/2916-5960-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-5784-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-5916-0x0000000001D60000-0x0000000001DE6000-memory.dmp

Filesize
536KB

Download
memory/2916-5791-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-6513-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-2580-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2916-6522-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download