86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b

Analysis

max time kernel
130s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
Size

616KB
MD5

2bfb0ef1b81124ca61c93c341a9ed164
SHA1

80a77d8af4702dc597bc48838f9140e1d3ed2bc0
SHA256

86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b
SHA512

2c336f88c9c7c3f7c8c3ae87f392f92ece3e28155b08b25f31c522b3df509bef5803240647a2853bc34567f943e6afd5dfba732ddbbfe1e2cffd0e272a6f97a0
SSDEEP

12288:Iv/fMH3Mu7vOlM7CjCkczgmziP+1RTwu7vOlM7CjCkczg:Iv/fMfvQjCM+3vQj

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+odojl.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/D028C17C49C9201D 2. http://k4restportgonst34d23r.oftpony.at/D028C17C49C9201D 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/D028C17C49C9201D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/D028C17C49C9201D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/D028C17C49C9201D http://k4restportgonst34d23r.oftpony.at/D028C17C49C9201D http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/D028C17C49C9201D *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/D028C17C49C9201D *** Your personal identification ID: D028C17C49C9201D

URLs

http://p57gest54celltraf743knjf.mottesapo.com/D028C17C49C9201D

http://k4restportgonst34d23r.oftpony.at/D028C17C49C9201D

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/D028C17C49C9201D

http://fwgrhsao3aoml7ej.onion/D028C17C49C9201D

http://fwgrhsao3aoml7ej.ONION/D028C17C49C9201D

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (427) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+odojl.html	gnycdlrvjodv.exe

Executes dropped EXE 4 IoCs

pid	Process
1184	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
2808	gcfkv.exe
1108	maeoa.exe

Loads dropped DLL 2 IoCs

pid	Process
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\gnycdlrvjodv.exe"	gnycdlrvjodv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 1184 set thread context of 1332	1184	gnycdlrvjodv.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\Recovery+odojl.html	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+odojl.txt	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+odojl.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak	gnycdlrvjodv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	gnycdlrvjodv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\gnycdlrvjodv.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
File opened for modification	C:\Windows\gnycdlrvjodv.exe	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2916	vssadmin.exe
2148	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47a918bf0f1a2488ec28498fb5077ce00000000020000000000106600000001000020000000b32f74f58cd9a74f5bd419b05d04e7b2c5c8b94bf58c06355795ecd4afc00d06000000000e8000000002000020000000d613c1a0e8fee3bf30af43ef607b534c9ea29e9febeb1d69bc896b5eefd25dad200000002fbb0daa848217d416ba65ac6818dc666ebdae9e76879803cbb64d7c4388aaf54000000093ad74d463ae903e5b1c8fdc3bc19cf7ffc47fe78b9fbd3116ee77b0ce145e2fe6582c5935f8bf27d1115c46591f97842c5f50737562e42bfc9bceb75bedc98b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108e1c2024bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c47a918bf0f1a2488ec28498fb5077ce0000000002000000000010660000000100002000000079b8c862aa15409f6069d061871bd2d9aa270647314824b8552dcc56e5c1f016000000000e8000000002000020000000b491fa21f9946fa9523bd1169e79cdc9b122c875bd848a3bbd1b1be205171dfc90000000765d01f233b26f36155477cb65eecfffa40850e63b50878c49bbfbff85aa05018b956c9fec6860f79a17b42844aa9d63f28a313a05cfed638302fe87d5319df2460502e83c41fff6b8a4843d668bdf79be0d48195d27ec0a0958694876a0139ade205c27b9c34c00166eaa5caecc6976b99995aa62fbae8969ffa3aa9bbc436b1c42747645215d2acbb7a9f322be027540000000de7bef6e8734cf7e8d4c2b43e8ae669fd77e59ca6926e9371b3f8d8f377571b56f39b0d530c3fac3f9bdeac7ff2abef957bbc3a4b6345c68860868e748275449	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BAE83D1-2717-11EF-BF0E-72CCAFC2F3F6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe
1332	gnycdlrvjodv.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
Token: SeDebugPrivilege	1332	gnycdlrvjodv.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
644	iexplore.exe
1468	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
1184	gnycdlrvjodv.exe
644	iexplore.exe
644	iexplore.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2912 wrote to memory of 2596	2912	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	28
PID 2596 wrote to memory of 1184	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	29
PID 2596 wrote to memory of 1184	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	29
PID 2596 wrote to memory of 1184	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	29
PID 2596 wrote to memory of 1184	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	29
PID 2596 wrote to memory of 2292	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	30
PID 2596 wrote to memory of 2292	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	30
PID 2596 wrote to memory of 2292	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	30
PID 2596 wrote to memory of 2292	2596	VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe	30
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1184 wrote to memory of 1332	1184	gnycdlrvjodv.exe	34
PID 1332 wrote to memory of 2808	1332	gnycdlrvjodv.exe	35
PID 1332 wrote to memory of 2808	1332	gnycdlrvjodv.exe	35
PID 1332 wrote to memory of 2808	1332	gnycdlrvjodv.exe	35
PID 1332 wrote to memory of 2808	1332	gnycdlrvjodv.exe	35
PID 2808 wrote to memory of 2916	2808	gcfkv.exe	36
PID 2808 wrote to memory of 2916	2808	gcfkv.exe	36
PID 2808 wrote to memory of 2916	2808	gcfkv.exe	36
PID 2808 wrote to memory of 2916	2808	gcfkv.exe	36
PID 1332 wrote to memory of 1508	1332	gnycdlrvjodv.exe	43
PID 1332 wrote to memory of 1508	1332	gnycdlrvjodv.exe	43
PID 1332 wrote to memory of 1508	1332	gnycdlrvjodv.exe	43
PID 1332 wrote to memory of 1508	1332	gnycdlrvjodv.exe	43
PID 1332 wrote to memory of 644	1332	gnycdlrvjodv.exe	44
PID 1332 wrote to memory of 644	1332	gnycdlrvjodv.exe	44
PID 1332 wrote to memory of 644	1332	gnycdlrvjodv.exe	44
PID 1332 wrote to memory of 644	1332	gnycdlrvjodv.exe	44
PID 644 wrote to memory of 1684	644	iexplore.exe	46
PID 644 wrote to memory of 1684	644	iexplore.exe	46
PID 644 wrote to memory of 1684	644	iexplore.exe	46
PID 644 wrote to memory of 1684	644	iexplore.exe	46
PID 1332 wrote to memory of 1108	1332	gnycdlrvjodv.exe	47
PID 1332 wrote to memory of 1108	1332	gnycdlrvjodv.exe	47
PID 1332 wrote to memory of 1108	1332	gnycdlrvjodv.exe	47
PID 1332 wrote to memory of 1108	1332	gnycdlrvjodv.exe	47
PID 1108 wrote to memory of 2148	1108	maeoa.exe	48
PID 1108 wrote to memory of 2148	1108	maeoa.exe	48
PID 1108 wrote to memory of 2148	1108	maeoa.exe	48
PID 1108 wrote to memory of 2148	1108	maeoa.exe	48
PID 1332 wrote to memory of 2704	1332	gnycdlrvjodv.exe	51
PID 1332 wrote to memory of 2704	1332	gnycdlrvjodv.exe	51
PID 1332 wrote to memory of 2704	1332	gnycdlrvjodv.exe	51
PID 1332 wrote to memory of 2704	1332	gnycdlrvjodv.exe	51

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gnycdlrvjodv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gnycdlrvjodv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_2bfb0ef1b81124ca61c93c341a9ed164.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\gnycdlrvjodv.exe
    C:\Windows\gnycdlrvjodv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\gnycdlrvjodv.exe
      C:\Windows\gnycdlrvjodv.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1332
    - - C:\Users\Admin\Documents\gcfkv.exe
        
        C:\Users\Admin\Documents\gcfkv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2916
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1508
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1684
    - - C:\Users\Admin\Documents\maeoa.exe
        
        C:\Users\Admin\Documents\maeoa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GNYCDL~1.EXE
        5⤵
        
        PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+odojl.html

Filesize
8KB

MD5
135a038f9b31996389b23813c6ae0fa4

SHA1
471115c4ca8268dc32a99685bd944f8e33b2f558

SHA256
39aba830246d26581796f0bae73c39741fd1e7acdbe2a6ec4865fdd45d4f1e56

SHA512
5a23b47b549fc055c655273a04e60ff765e6e24bc0d94910eb04721fefd8809924ff0ab25ca12f442d6a4f3521fd10467929505ab32a40d3c5b42896c4ededdb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+odojl.png

Filesize
67KB

MD5
23cb7cfdb0b86ee8bd7ea77773170acb

SHA1
ef14e4508e049b56a279c10f26da4a95a0101c5a

SHA256
a13eab2b933084659cc373d506eef7cc9c7c0980a8c8fba918c3e6f8b322635a

SHA512
7244fc8af75c6386c7b0b8a52ea4ad69d755bb4f2a02592b79db951f5e6622a4c4dda3d8c1e46e6a8cbefef0f3ce7df39c1a573128292e28c9677dc3f3adc122

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+odojl.txt

Filesize
2KB

MD5
90f3a2a6cddf41738159b0e4fe0d06b7

SHA1
5eb88908d1756e32b8b0c8133700c962a311d9e3

SHA256
4bbbe2467823e7c52897092fe0f12e81bb5b31d3c54a9c682f1dbee2c908fb37

SHA512
f09fb66e0b5b055af7631b16f9de1b8828e7ef538690cc3cb16d1c4ee5e8097376e804409f94a9ffb4ff049211ab98cfc5a7beb695485ea0bdc4689116ea8d50

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
cfd0536ac3a48cc5585056f1a9ae00e5

SHA1
e11b82d04d971996fc127abbab48e39922835061

SHA256
6435cb758ca14616376d1dc686ed7ec1082c2f65b976e79b7da35649c6b454ac

SHA512
50b9f3b2e3b33b14d1d1d2d8bb0c94ff975313266208b7aec9d87d24f8b45ed5e86d68b61079c573ebcf89a53e1e668727cbb7280917139faa4987023d35b01e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
b20d285e80d2b0bb49478da2addaba8e

SHA1
9cf9ce83643e8b88d42114303b7bdcbe147aac5d

SHA256
26aa340930d47c1d60d88281d61822769e14c5b30377c4d127cc4ac9c66a2d26

SHA512
857f81e2e095a02e452dffc1c4a9ef1014d562b4ea1edef885f3e12e8c70241a8c431dea42879e58178e95ee240acfbae04d6fcdb7782f3074ded1e016f7f553

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
20f3e91b14cbaa34b520092798b729d3

SHA1
3c3e2bce280305d3e357219ce03342815e7b99bd

SHA256
8a76773c7b470716bbdb983007ac7970c6ea4584d12b1d65ab8af602d6634908

SHA512
eea52412714ca61e1883170e7249381f5d600c8b14fb6c9a23af383a88a53b23951ff838677ff53dba44fe0055dd99d92166866165951ce89914def68884ada4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e44c673ba4ce7966f7f3d8e919ef9a2a

SHA1
f0c939c6dcf0f8f9eee50a8a8348fe9f2b1badd9

SHA256
df73c39a9658a574c4948cff218b86309ce4a1e86f833156f5bb572010d28394

SHA512
404faaed6cfd6ddd13d6231bf621f9212d32f4ddad88343adecbf76b38ddd1199190fca1b65490c395c13301e1254695c082920dcf0614d88f3a15b626ab5846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ac42c06d1f6eab200c7e15553bc5b8c

SHA1
e2b16a5d794ea6dec305d097e2d43b0fe73e5cf0

SHA256
35ac882ba742fb793468c737a2311726e4fd745ce09530882dc39e167e8cf257

SHA512
146aa05c3ff58846b07d4a7b6f16723c998421c187aba5378ea973957fdba1f25417bba7f39e052b0cb3dadc9ec55f13f09b130fa4cad0aea620a2ebb1ed0b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcc4b1127c4b0828d244c3ed39830b7b

SHA1
73bd5a1751807f5fa465df45de5cacbcb1bffa99

SHA256
b9287398338f6685c4ff8653d47da7b7bf949069e1a1f62319f9d589a336c026

SHA512
7ffd214e1c1a7ee25635d30be294a7e6d1371fa329deafb85af59eb5b11953fbe177c980956c538397ae5135330f556aa02c2a4323cb6585bb5d46876fec9462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
284404a0241c9b43189d11bd529910a6

SHA1
dcfaca0fe9699c33326a10fd3e750370cdb7f3f0

SHA256
ba7f9244e21dd2693cba9c27262ad84c34648f8b7a87f0e6c54066a899cb952a

SHA512
5e2abeb745bfb12fef1e05d6ce7841320b95f63999958ba1169a7fe2d1d9040eabc0c5f46188281c5d5571433c6928bf1bbc961c6aef2c4625ed8030258dfc01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ba89e585b16d317c2af0f3fbca259c3

SHA1
abf2025131b4175ec0d4561214e333681bb8ca97

SHA256
a800607a21d0e55cc8090824ccd490ad845cf43a2b55467bce15efe267211fc0

SHA512
1e8623ea6c65676fc0fee33103913b06d4f71ba5e7861df07433b8ff002fdba9725edc0eb410043dae6febfaac246925f8e9c308bdf3c0000f355be7d874ded2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361779ea1aa9d7400ca27985ab4a0959

SHA1
9e3904147457df0388b3f691c0033a2a8190ed21

SHA256
d343ace380591ab97c47433bdb211db214f6fb338dc6a623c809cb449d045bf9

SHA512
33da8eceac8ed92bdde2568c85d6d65b5b789e24a346883bda622efa2a20028ca83f70965679769f8f6fc8e188faade6da62fae2d5756bf3a67e373389adf453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdbf6e4dd3b59ca967332f37202b0371

SHA1
bd9a814e0ed5d8b293f4fefb916ae3dbc919eb1d

SHA256
5caa160618bce424cd587d2f2bd84a7d339a29ca7bde675ce8a7f929f9e7282f

SHA512
22f8f2ce117b6e50a64ce03f426711348d85d5cdcd37b610c6c6140e666a4e59fc4d3038d0017dea991df124d19439140e099cf51a64405d23f489ea2c90071b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898d95bb2a60cf6b5da6b9f5d8413b0f

SHA1
fc19228d741661a652a9828fd78feeda12d9ed5d

SHA256
495156a63788fb4995307227544ad6834f2fe3c68064dee276f6329b11fddceb

SHA512
ea8eb22c54941e56ea08a804fae770089fbffff5d44966032268013618b5c8496c086a06635be75b5f596f5b12d61b3fc6545871ca568eb0f5466f6c913c4d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2b2c3c684421f510ad600dd512a4db

SHA1
930623f487f654c6a8494874f9c4aa7700357a19

SHA256
3880a65632ea2a3aa1d5625623bdde314f4d2aa1670df0bb574e2957bbd0a137

SHA512
e0d9ce6039c8d9b9817a817c272a585d31454cbc53eb6d77450051f08a73bc7a6987575ee9432428eb805f31314ce438e3b6cd41e61f275e1a5803078ff1cdf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14457cc1aef98b85878ce96b673a08bb

SHA1
e05f0c382539aa570ebba69d6939cb0ccaabdc3a

SHA256
9b412b3b791362d5e95701ee418189bfaac909e6ef06f818054bf3d7df643db7

SHA512
74c11f7831257ae7f1c9ec08023317a62e83d8a86f1eecfe0f9101bff5a6df7968391d7fdb6cb3abf38cf7c234132b342bf95d1ef2fb87cface8e79c62ede8ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7df8cfa3ee48b10154eba51c01228cf2

SHA1
12c495b97ed788355b5513239e8e3841d4e87ed2

SHA256
1de21612b2a362dd2e0a29ec63e3b8eb7176b9b5aaaf77405155695d9fcb722a

SHA512
c7811af97f3eb8fd37a1f63134f31f2fbf562a5148ea44990a8518d050c18e92f8068bf35a28a212c7a973f9ebfa3fca2cdadeef33802432509b44b81fe3e2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\gnycdlrvjodv.exe

Filesize
616KB

MD5
2bfb0ef1b81124ca61c93c341a9ed164

SHA1
80a77d8af4702dc597bc48838f9140e1d3ed2bc0

SHA256
86e08c4190074fa5774eb0f37afacf780bfe1b4f1335cccfcd1d5fe140e09b5b

SHA512
2c336f88c9c7c3f7c8c3ae87f392f92ece3e28155b08b25f31c522b3df509bef5803240647a2853bc34567f943e6afd5dfba732ddbbfe1e2cffd0e272a6f97a0

Download Submit
\Users\Admin\Documents\gcfkv.exe

Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
memory/1184-51-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/1184-31-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/1332-6150-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-61-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-1894-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-2755-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-5933-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-5995-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-6001-0x0000000003A90000-0x0000000003A92000-memory.dmp

Filesize
8KB

Download
memory/1332-6602-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-6011-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-6599-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-50-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1332-59-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1468-6002-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2596-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-4-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-6-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-8-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2596-30-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2912-1-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2912-0-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2912-18-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download