teslacrypt | a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
Size

388KB
MD5

1fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1

c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256

a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA512

22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
SSDEEP

6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qkllx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/95ED5414483264D5 2. http://kkd47eh4hdjshb5t.angortra.at/95ED5414483264D5 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/95ED5414483264D5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/95ED5414483264D5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/95ED5414483264D5 http://kkd47eh4hdjshb5t.angortra.at/95ED5414483264D5 http://ytrest84y5i456hghadefdsd.pontogrot.com/95ED5414483264D5 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/95ED5414483264D5

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/95ED5414483264D5

http://kkd47eh4hdjshb5t.angortra.at/95ED5414483264D5

http://ytrest84y5i456hghadefdsd.pontogrot.com/95ED5414483264D5

http://xlowfznrg4wf7dli.ONION/95ED5414483264D5

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (416) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2552 cmd.exe

pid	process
2552	cmd.exe

Drops startup file 3 IoCs

Processes:

gklqnrhxswjo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qkllx.png	gklqnrhxswjo.exe

Executes dropped EXE 2 IoCs

Processes:

gklqnrhxswjo.exegklqnrhxswjo.exe

pid process

2800 gklqnrhxswjo.exe
2852 gklqnrhxswjo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2800	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gklqnrhxswjo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\oryaewytlotj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gklqnrhxswjo.exe\""	gklqnrhxswjo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exegklqnrhxswjo.exe

description	pid	process	target process
PID 2148 set thread context of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2800 set thread context of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe

Drops file in Program Files directory 64 IoCs

Processes:

gklqnrhxswjo.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Internet Explorer\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\Recovery+qkllx.html	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\Recovery+qkllx.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\Recovery+qkllx.txt	gklqnrhxswjo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\Recovery+qkllx.png	gklqnrhxswjo.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe

description	ioc	process
File created	C:\Windows\gklqnrhxswjo.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
File opened for modification	C:\Windows\gklqnrhxswjo.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C32B3031-2716-11EF-A538-5630532AF2EE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000db507f289aabc0d1fdd75ea3db1326722c9da4d4d5b1be3089ffc0f2a15e70a2000000000e8000000002000020000000f8adf046f6c9adbb7b8d7fb14209d3582831e711bb17220ea3608df9e17d1ed020000000e479b802def88d7624304730b96d518fd773f09158550f79c51a51f065100eb9400000000a041369b0d5a7bbced295721f6665e05db560e1972a1e8b8928d69feb917d9f9c823f3434b784b1902c92344719e9dd034743c87baab8deb0c50cfc6a5c2a40	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502cb89723bbda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000b6ccb088d33521e8faacc619741125cbac76a677bf356d719e07c834b65d4cf5000000000e8000000002000020000000067b40481e06c513897113e6ca0a63c2828a555e5f637b6e496118448246b10190000000bd9eb1368c71e19ccee261b670af81cacfc5a27b441676fecfff9bba2edaa25d8742a519d3e286546b50a5f43e7bbd6e2064f2de4a2716146903bca2e79309fea21f09fe46b8e641c1aeab58ed9c663dc10cc65cba447bf48d664822527912f27009146b65799de157b0029884c509a12af4ee06d43f0bcc123c2967c73a4afc68a8a0e045822807c3f5e7394a647d11400000003848420f9cf8486460b39525c66a8919175305b29d0451293799b9b10fa70dce31486a89d5803f3c0ff6b251535268538c36f24213cc651d5f6771c8faa204b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

gklqnrhxswjo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	gklqnrhxswjo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	gklqnrhxswjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	gklqnrhxswjo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gklqnrhxswjo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gklqnrhxswjo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gklqnrhxswjo.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1048 NOTEPAD.EXE

pid	process
1048	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gklqnrhxswjo.exe

pid	process
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe
2852	gklqnrhxswjo.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exegklqnrhxswjo.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
Token: SeDebugPrivilege	2852	gklqnrhxswjo.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2644	WMIC.exe
Token: SeSecurityPrivilege	2644	WMIC.exe
Token: SeTakeOwnershipPrivilege	2644	WMIC.exe
Token: SeLoadDriverPrivilege	2644	WMIC.exe
Token: SeSystemProfilePrivilege	2644	WMIC.exe
Token: SeSystemtimePrivilege	2644	WMIC.exe
Token: SeProfSingleProcessPrivilege	2644	WMIC.exe
Token: SeIncBasePriorityPrivilege	2644	WMIC.exe
Token: SeCreatePagefilePrivilege	2644	WMIC.exe
Token: SeBackupPrivilege	2644	WMIC.exe
Token: SeRestorePrivilege	2644	WMIC.exe
Token: SeShutdownPrivilege	2644	WMIC.exe
Token: SeDebugPrivilege	2644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2644	WMIC.exe
Token: SeRemoteShutdownPrivilege	2644	WMIC.exe
Token: SeUndockPrivilege	2644	WMIC.exe
Token: SeManageVolumePrivilege	2644	WMIC.exe
Token: 33	2644	WMIC.exe
Token: 34	2644	WMIC.exe
Token: 35	2644	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2260 iexplore.exe
1576 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2260 iexplore.exe
2260 iexplore.exe
848 IEXPLORE.EXE
848 IEXPLORE.EXE

pid	process
2260	iexplore.exe
1576	DllHost.exe

pid	process
2260	iexplore.exe
2260	iexplore.exe
848	IEXPLORE.EXE
848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exeVirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exegklqnrhxswjo.exegklqnrhxswjo.exeiexplore.exe

description	pid	process	target process
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2148 wrote to memory of 2672	2148	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
PID 2672 wrote to memory of 2800	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	gklqnrhxswjo.exe
PID 2672 wrote to memory of 2800	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	gklqnrhxswjo.exe
PID 2672 wrote to memory of 2800	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	gklqnrhxswjo.exe
PID 2672 wrote to memory of 2800	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	gklqnrhxswjo.exe
PID 2672 wrote to memory of 2552	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	cmd.exe
PID 2672 wrote to memory of 2552	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	cmd.exe
PID 2672 wrote to memory of 2552	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	cmd.exe
PID 2672 wrote to memory of 2552	2672	VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe	cmd.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2800 wrote to memory of 2852	2800	gklqnrhxswjo.exe	gklqnrhxswjo.exe
PID 2852 wrote to memory of 2000	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2000	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2000	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2000	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 1048	2852	gklqnrhxswjo.exe	NOTEPAD.EXE
PID 2852 wrote to memory of 1048	2852	gklqnrhxswjo.exe	NOTEPAD.EXE
PID 2852 wrote to memory of 1048	2852	gklqnrhxswjo.exe	NOTEPAD.EXE
PID 2852 wrote to memory of 1048	2852	gklqnrhxswjo.exe	NOTEPAD.EXE
PID 2852 wrote to memory of 2260	2852	gklqnrhxswjo.exe	iexplore.exe
PID 2852 wrote to memory of 2260	2852	gklqnrhxswjo.exe	iexplore.exe
PID 2852 wrote to memory of 2260	2852	gklqnrhxswjo.exe	iexplore.exe
PID 2852 wrote to memory of 2260	2852	gklqnrhxswjo.exe	iexplore.exe
PID 2260 wrote to memory of 848	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 848	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 848	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 848	2260	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2644	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2644	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2644	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2644	2852	gklqnrhxswjo.exe	WMIC.exe
PID 2852 wrote to memory of 2848	2852	gklqnrhxswjo.exe	cmd.exe
PID 2852 wrote to memory of 2848	2852	gklqnrhxswjo.exe	cmd.exe
PID 2852 wrote to memory of 2848	2852	gklqnrhxswjo.exe	cmd.exe
PID 2852 wrote to memory of 2848	2852	gklqnrhxswjo.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gklqnrhxswjo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gklqnrhxswjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gklqnrhxswjo.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_1fe6fdfb7796bf1ec5bdf80f86fa9dc5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\gklqnrhxswjo.exe
    C:\Windows\gklqnrhxswjo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\gklqnrhxswjo.exe
      C:\Windows\gklqnrhxswjo.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2852
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1048
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:848
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GKLQNR~1.EXE
        5⤵
        
        PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2552

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qkllx.html

Filesize
9KB

MD5
6129ae96f979304ab0341d23dfcfde56

SHA1
cec3c06530e1469acef0d98151aad7f0377c645e

SHA256
20ce895248bb9d1c1f35b3a020e9fe84b0a72f347abfb8535b8b64db060248e0

SHA512
a66c72cc772cc42a48c5741dc6b00ecc931e992a104cf98c661e0471e070c1eb0e6f07d25cd200b1689d723eb85ed489b2950a422b4c8c8c2365a67cf57a5249

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qkllx.png

Filesize
63KB

MD5
e305c7d1715ec35dce0b94960fc0f463

SHA1
7e68a6202d200ef6e364695bdf275dc26f1f9cb0

SHA256
040a538170011e639ab5b8242398ec6d8d47ccd34049001f91b95da48258d599

SHA512
6d21800ef04cfc4856890ca652bb77b626c422d62003e225c1518d243001f585866ff17938b39bb9bdbf3b7514b436102dde5860fea42d1248b33d61459ec84d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qkllx.txt

Filesize
1KB

MD5
cd28220ec8269ee9e7e59dbe78ed2dff

SHA1
d1ec2e36b7ee32a5af337d3de1f712169313b595

SHA256
0e80017a5bb713809fa18fd6330ac0c511225441169f62a1b925b4dcfdb2164c

SHA512
6e9b31102e814fc711c815aa2cf8dabd972ea47a28b649b49ce820a5a68665acd729f4b276872aad7dc3ac1c5ee336917bc317bee054ddd15d1345414d5935b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
281a1eb1ccb8f27bbefb8d01b5067bee

SHA1
c3ffb822fd1d62d6016db8f9a4bbd5900bdb8865

SHA256
5e32921eafe165260fa412e834cad7997a40eab33a6022eb91c89830135d188b

SHA512
7ab541fe761228a8715300de612f0cf14609df1a74fa7e3b1f507c3c2d4bc98bebd4cddb48fa78e0454cff28ac2a110127e2c751309a4dd6b4fbb9b90092601c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
886b63d926d683669ed9aa3fd2b85432

SHA1
4ae9778aaac0027e2c2e1fb4a2f445c6bf17afcb

SHA256
99c8aea8bccc95132a7feee29b7175347cd36fb0bcf3fa8b00bd6102892762d2

SHA512
14d67367bbd5aa4f2dbca6c58ee4e7694ed238b713a8d9e1add61b282dd634e8a11fac84a6f2620b7e692df07848e97cedfb9bb16a9d774c13963083f6b6ddbb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
39fc102a6fde87a0492c68c14498e3f4

SHA1
7dcd9e75d91d38c5ae95815720cd702d19cf7590

SHA256
1d154f5857ce7db2689de0de32dc8b8320e9651199f8bd122f15fa3e06b5f838

SHA512
9d803019de7702036ffefaf8850829e0a598ad0018c86505006b9ff8a7a2b4d4a589be0ffbcbc4cdd5980f5002995698eda32faa42152dcdddee1d86d72e58b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
036c5d952cdece5272a50024daa1a804

SHA1
f40a0e93cfcb3c7d4cb82eedf78f93c268013814

SHA256
a172bf3d05cf7960c09a21dce880fe5dc87667b273ea1bd0433642e0fce61efd

SHA512
a13c2e6dbe8ddf7654e1f3572c1f3022c10d3be9d79467204a9925496c66f60a7fb9b3c215208f0eb5d176fd45b31a65eaed50942b662090dd00de5a819df541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48a4487d213d90dc46083fb7ff5c0b42

SHA1
dc96b634031d36a5ed01164832ac6c39af0acff5

SHA256
f336ff19727a99475fd7de9d0551159edbe6e4e60ba71dd2e71b0e79458dbc4c

SHA512
f0eef8293da19880400a7c981a66e42e38c3c804217b3c847dff7b7b7bf1b01f688835ec3a3f27cdd55b4e663564e4e569a9ad75e9d87a3afaa64851cce00d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c407799fa4e7bc8b9e401abfda40531

SHA1
e824d08e00d636354f2c41283c0cb4066dfeb7bb

SHA256
73a5b08698656acffc31b4bb005cac830fdfc6795f74cf16f5bdab0e00b6736f

SHA512
7d33b58bda3e5674191f8646a6dd1f08431ab8e34031bc95a936235552177925b36672c7785f298bdde6cd77562369a4de4d6d2cbe229b1edf729a7896bd97e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
445b3e9c89ef43f6d8969dbc44f0afdb

SHA1
1856d3fee3cca11151c49e20a694fb9dccc566f9

SHA256
fde95a17c7319c356697be3f15a1197dcba6b56f3038f94e7f5c146614bc0177

SHA512
f385a0c60057c2103256296644eb4f77a261e648baa28745e654772e150127f27e32e3bcdc77adc82795efcc37616adcf6a7f92fd681cae20c14bfcea9b09fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae88eb3a20c25abbc1425cd5589d051d

SHA1
0341a85892a2584dfc6f602c7b02b1b95689637e

SHA256
d0034e9cccc5fdc6e8cf816a7a7b7f9ab2d621d47c961d2d00eaf11ae68f6f13

SHA512
943c2da8c9f0b4f214557180991adfc4f349c5bc3ba681747720a6b2e526251deab0b10e62969254f9b8ceae8311955395f2ef1f6d37bcb34244fb11eac69609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd8053c6a455c79bedda1c37f023f7eb

SHA1
464b5c3202dac980cb36ff330da0cd3c025623a9

SHA256
285b0bec2034a408c4007da3656a13f94bc3eb8f2f27c3b4b1dd1535684151c5

SHA512
6bac156f876bf911ccc290ca6b94b6ba3d5e42859884c4a4273d36c77289f0896539707e61c25078da2ca843b229a07e97d439b1a64db13234b4ec0c2109a4f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c15e8722a9994954132c181260c2106

SHA1
e7c460fcaee2c73bbb39d872d0c44072754f7c0a

SHA256
a7cc73c8d3e2374a8ea07af594de63190823b3dad5dbf5ca9c8da65d56a76c96

SHA512
af28d7ad66eaff3c5f43e3c33485f95323971a6763b3ae26ed9150187b65f901889e1bcd3c5e8159a7fd941a8e1242b86b4bdc5a41818d568452cef1d978e80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52736f826b89f43b96f3573525573e96

SHA1
aa4d5fb9663ad63c2b45cf24f5608a1666620856

SHA256
845d227ec089f0336e661950c2261ad93db2d039d8c066e7cf4ecce2842ca064

SHA512
c981830182210d4107c0f18d0d46c956bae8eb35e2281a1eb7873d98fd60dc6e61d63beff0f97f99023c4cc868ed2318ddc6509fdcf500a6761aee0157747ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eadb0370cf6c22204e95db948481b636

SHA1
2f6b7d1d1f93c82c4273027c793be3ddd251a8a1

SHA256
a14bd06156a6e9bf4a7fda1ed9936c15bacfaaf1268424d1184f16b653843a08

SHA512
f1b35bbe4edb04d03cf1fee1b807836b0314b42de3cd2e1ebfd8be4541a569d715abdd6569e4b6525beacfc334e6b2f7c8dd7b613c05ec2a15cdd432673dc76a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b6dfc0516391036fc1819bb6945ae5

SHA1
ceaeace74f190de4d19d5fb1b22eee8d0da38fed

SHA256
7e2089b145ad7d0c5c013db52b2daaaadffe540f4162257ab22f862ffb3ab249

SHA512
0fbc48f45ce8c7374575376947208491487da90555c92c2a3acad386cf27f38882cdfa0a7b384a4f7493ad2bc460f3c71b758e289873042c2d366668de559059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b8c0458391f36d26b89cc6d5194938

SHA1
3a8bdc8fbf89ed98fa705ddd74e9511992929ed9

SHA256
9e3d68f5efc88bc948f42f772fd0dd072281e5b3e9fd931c3ab052f6a4bd24d7

SHA512
8031ae58a71720d2236b766dc3e8d2fdd42ed23837bb18fa6b32713c6bdda1606e0e41b1d2b6779acce0ce6e0a0588b1d754095e95e4e2c7dbb1aaa82a81beca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
642442e6f1c8bdb7f25c813e50334741

SHA1
86cffdbee9fe3b1991e1927a1eba8a7f6b9c30b7

SHA256
7cfffc94731161076c4b10473abdce7e37b243dd02ca8f642edae8497af62474

SHA512
9a71186546f02e76374896f4737a7e55efbbfa21eaddfe53558f79fcb4a80836441981c0e1398197134ff08e66157a0fca2e418bbae3f5fe72ba478d737d934c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12CD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\gklqnrhxswjo.exe

Filesize
388KB

MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5

SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4

SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6

Download Submit
memory/1576-6118-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2148-17-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/2148-1-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/2148-0-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/2672-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2672-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2800-31-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2852-6117-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/2852-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6134-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6121-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6120-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-1318-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6111-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-6086-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-2851-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2852-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download