teslacrypt | bedd09abc5eb323220f26eadbe1ede76373ebd6d8a84fd2884429760b0cd197a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe
Size

424KB
MD5

41c9cf8f98d9cf11e0b101562876d404
SHA1

88a88e498b8e4b73e8585e7994ed519b9ace9610
SHA256

bedd09abc5eb323220f26eadbe1ede76373ebd6d8a84fd2884429760b0cd197a
SHA512

78c028c126351716c5460f391d810d5925f9ad36eb3a506b0e3d015bcef9b2a0ed9c3fbec9c3f81a5dc362edf64de5eb377da070712ac720d9ea6350da5af113
SSDEEP

12288:wL2WjWgDhrhjxaRaDz7z4HMLzskGWoXblCJxfS6:wDXpVx7f7dLoMorOR1

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+kdimu.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/51A574339B46F6BA 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/51A574339B46F6BA 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/51A574339B46F6BA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/51A574339B46F6BA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/51A574339B46F6BA http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/51A574339B46F6BA http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/51A574339B46F6BA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/51A574339B46F6BA

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/51A574339B46F6BA

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/51A574339B46F6BA

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/51A574339B46F6BA

http://xlowfznrg4wf7dli.ONION/51A574339B46F6BA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+kdimu.html	wfmiedocaocs.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	wfmiedocaocs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\hfdwdburfgmo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wfmiedocaocs.exe\""	wfmiedocaocs.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak	wfmiedocaocs.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_RECoVERY_+kdimu.html	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_RECoVERY_+kdimu.png	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css	wfmiedocaocs.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_RECoVERY_+kdimu.txt	wfmiedocaocs.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wfmiedocaocs.exe	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe
File opened for modification	C:\Windows\wfmiedocaocs.exe	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fc034028bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000636cc4bd4b1eda4e8e1be1471e4cff920000000002000000000010660000000100002000000089e34ac8943d51fcd83944dde946b33dfd018f10fcf3c4c68fc198813e04fd31000000000e80000000020000200000006e965951946cdf73e8feef0079221f5e03f68e207164c1502c37203e6e49694620000000c3769b7f3b31f3f25541bc09b90210bfe18c0276b7f0ecbaac5275afe879cd3240000000651d3f233b0929c5291e33f5dc5922654edc4d7d5dd5ca22ea0b69c69905dc17fdc420475c0e09e06f6c56333565a7c9285a1fd4aae602641e4b1c4b6066e0b8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B8C74B1-271B-11EF-A293-4AADDC6219DF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000636cc4bd4b1eda4e8e1be1471e4cff92000000000200000000001066000000010000200000007e539b503a449ef84b5f574b7cc7a19b7a23cc65db243a23beaf3ea3ccf55d86000000000e8000000002000020000000eb056d7624dbbc3fffa5f8d820c8ff92e229490a0eb751612eab5a165171d91c90000000576a1830861ab572f2b75ad271221dffa78a181573fb323bbe54a663ffb1a7ca95cd948db524d9e4e1364bc338e5fc5d214952766d700cb1d9d2d4cb08f097fc920c17f577f7ef12e5b28a04b0f1b2f3e367b72ba61d35ce475cb79076ca80af02b8901315dedcbc42cb95b17596929dada20f8b20bb947bb2b1230f3d2d6212da1b561745c0e263daf9a07b0ccff1224000000043d01cd7a0efd7a11f5036ecee73818cecc9554a363f63e959a5423166d24d2703e5251d6b007957b43a4f3dff284f7f87449337f919b6211a04a5932ef490aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424180286"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2636	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe
2492	wfmiedocaocs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe
Token: SeDebugPrivilege	2492	wfmiedocaocs.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe
Token: 33	1240	WMIC.exe
Token: 34	1240	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2620	iexplore.exe
2908	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2620	iexplore.exe
2620	iexplore.exe
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2492	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	28
PID 2172 wrote to memory of 2492	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	28
PID 2172 wrote to memory of 2492	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	28
PID 2172 wrote to memory of 2492	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	28
PID 2172 wrote to memory of 2548	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	29
PID 2172 wrote to memory of 2548	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	29
PID 2172 wrote to memory of 2548	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	29
PID 2172 wrote to memory of 2548	2172	VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe	29
PID 2492 wrote to memory of 2516	2492	wfmiedocaocs.exe	31
PID 2492 wrote to memory of 2516	2492	wfmiedocaocs.exe	31
PID 2492 wrote to memory of 2516	2492	wfmiedocaocs.exe	31
PID 2492 wrote to memory of 2516	2492	wfmiedocaocs.exe	31
PID 2492 wrote to memory of 2636	2492	wfmiedocaocs.exe	38
PID 2492 wrote to memory of 2636	2492	wfmiedocaocs.exe	38
PID 2492 wrote to memory of 2636	2492	wfmiedocaocs.exe	38
PID 2492 wrote to memory of 2636	2492	wfmiedocaocs.exe	38
PID 2492 wrote to memory of 2620	2492	wfmiedocaocs.exe	39
PID 2492 wrote to memory of 2620	2492	wfmiedocaocs.exe	39
PID 2492 wrote to memory of 2620	2492	wfmiedocaocs.exe	39
PID 2492 wrote to memory of 2620	2492	wfmiedocaocs.exe	39
PID 2620 wrote to memory of 1200	2620	iexplore.exe	41
PID 2620 wrote to memory of 1200	2620	iexplore.exe	41
PID 2620 wrote to memory of 1200	2620	iexplore.exe	41
PID 2620 wrote to memory of 1200	2620	iexplore.exe	41
PID 2492 wrote to memory of 1240	2492	wfmiedocaocs.exe	42
PID 2492 wrote to memory of 1240	2492	wfmiedocaocs.exe	42
PID 2492 wrote to memory of 1240	2492	wfmiedocaocs.exe	42
PID 2492 wrote to memory of 1240	2492	wfmiedocaocs.exe	42
PID 2492 wrote to memory of 2296	2492	wfmiedocaocs.exe	45
PID 2492 wrote to memory of 2296	2492	wfmiedocaocs.exe	45
PID 2492 wrote to memory of 2296	2492	wfmiedocaocs.exe	45
PID 2492 wrote to memory of 2296	2492	wfmiedocaocs.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wfmiedocaocs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wfmiedocaocs.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_41c9cf8f98d9cf11e0b101562876d404.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\wfmiedocaocs.exe
  C:\Windows\wfmiedocaocs.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2492
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1200
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WFMIED~1.EXE
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+kdimu.html

Filesize
11KB

MD5
d675f484cb3aaa7f8059a6c36bb6db71

SHA1
fef39831e3019c2819f1f0017377c7e6be08b902

SHA256
86060cf0d69924e2fd019168ea86ade8272b03e8887344b8a049aae7c20e0ad2

SHA512
47823aabcefe1a123c1f281d048e3266e3ddc35e5b1f9d01ffce5466681db10f5daa1debbe32d723ac71c2824e2272657994866d0c2e38424c5acec277d36934

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+kdimu.png

Filesize
63KB

MD5
087030e5013c1d66798896902ad2f59d

SHA1
c89b0be15ea048a047f3070a288d8ed0a159fa54

SHA256
c68e9d5b740f0fac8e8a696ed3f165c6537bb95b4b98ae392289d536fde6a858

SHA512
eee2ea5613f181f0564d515a35e522bca52deccbd186cd96304a47df37f015bbd0d3ba2c048b47ade75ca6488f3544c2846bb491da22d57ee5c58ab4a33cdcd0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+kdimu.txt

Filesize
1KB

MD5
1728d33c80f89b86715667cc23977515

SHA1
614022b9c1680b7468b6edfabd49cbad46bce3de

SHA256
7e373d1b0870297a88a9fd07b30ce4a5c2c3b3ffe6003cbd618d96a5833c86e3

SHA512
089c1b24f948a1915b1c877beb1ceeef937a1226a7cb01b27249f59ba5ba4941e914aeca55eb35dee4d5b9a22bd94266d11eccff1e5c0201acb20e6ba6acd9eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
11011e89dde582d08dc0c68a8d63c2fe

SHA1
deff991f2b7068fe696d8502468c761c25bf0ed9

SHA256
3a01ea6e101c0d94135a5719428e085a2b0ed6e78c0740a12122e439c42d4e35

SHA512
cfde5437c1e99842b5f5444ba56f28ac6aab610b450bb48e0bffc270916a863410912ddccaccf4b31a7104cf6a1bb33bcdea515b055d7463f0b3923ac0801be1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
80eb88e9d7e7e2a3dd4ffd90bcb7d23e

SHA1
41cf6686c643edcf0763d90509318f599041b6e2

SHA256
6430bb83193ff33fd06116d11569bb9eb5d3a78d28132b65102dff375c4244f4

SHA512
d8faaf6eaf584773604a8ab163086a157f23eeb0d135ee1c8619db6e70f9515af9570fe7e8034b4db632dcf392b5c41a6119e25239726bfd0ee8778b06f56e7e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
37244b8f2f36078acc5a085b0508b42d

SHA1
79d45e721c4cde5cfefc0102cf64cc821551d1ef

SHA256
d88d40fc449131eb3eb26000e294f0cde8a3316facf55f3d9ac7e16db2fce767

SHA512
669f4f7bc2c3384f04f36f2d2fd1e1cf12c5854ceb28d8883598424e36535ee473cfbf2e47d9b379306bc2b3eddba61f152f7432252f897124d3fd4e310fedb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a788f20959c9eb698fa75322f358602

SHA1
3d05aa86d6654edb1587bc57c1bf60cd225152b7

SHA256
e1d77e2b553eb66e57d1bc91ef3cee54db0753d4106a7951bb9b51b64cebf0e4

SHA512
668815ccc71c920f082a7852f95381b3411426b272cf2dc79ac4ad09b9b990114a8c26c14234279b25bc5346d39b908d6acc1029cb0fd014008bc2d7be5ece45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53d78d002d91b9d64b3b24c12977c4d2

SHA1
93e5ac032b419da0514790f522f117e1de68fbe4

SHA256
84b785a75faed9d39095a944ab74d0acaf8c41783cbeb1d9997232c966fd24c0

SHA512
1a1db6c4bcfec789bbff05cb95c469846213a2cb3e9884ce8529876889e59f8ed903cbce05f2d262ee9f9ac8d8657e70f8e4c2a359cd10619bac0aabb3476624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd243b0870b1f0b624f92193716aa20

SHA1
3c20c951e99778fd388613cb0b06b7364d096f3d

SHA256
d0dc7b00dd595b11d0305127ab4d743fda9021ff51b54ce79952c5199f044830

SHA512
8af9f3cd016b5b9941c8b5a73bbe5175780fa442d51a68b0003e3aa671f069f4abd45f0928bdc9912b1aaa41bdf1baaa026f5d886d2d399ec50c389600762f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fae92f82cdfe6a82d78bafbce16cb60

SHA1
cc5d1c4edf34a3f64cd7d1b4b7ac88b1c57d68d1

SHA256
484002f5872e83d3befa4dfcead74b92964b4428dd268ccf82d5d25f6611cdaf

SHA512
3787346e968aae2c8b4a744028b217aeb05cee5fe6b2f772676aef5dc7a7426509df5f9ca0458da782d0a3c1bbffc3205b78d5740c8c59d9e53d9982910619b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee648e2948a2dbbf9e2386e6e66352a

SHA1
80065bbbf5a61a2ba12c492f46b85135ae19b5f7

SHA256
ef538b8834958e9d053d93757ea7915000239ea7c97281b531327db8cc2a3a79

SHA512
4ed1fe2ab399e288e3992c0184e20db083a9b2937292123ae1d21547675b1bc278ddcd4d7166f8d083b6acf615c85ea9738dbce2d5a04595517c9e96fad8fca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5baa5870950179e30d33f6dc903d798d

SHA1
05272a4271e14ba0b803cd3f7f779bf2b5206819

SHA256
bb52d907876d7d1a84f1033b62b4c4d4f5b11973efef03b6a940a69da505c69c

SHA512
2eff670ef5f62a42c750e1a58f241097562c1b317ae8c88f2d8686f334fb485a6a62586ab105a5b718900043e7f241171ef62e657fccaad64e8b2eed2feb1602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4627a2ffa54ebfe73a10eb61f684298

SHA1
0e0ebd6008741d5efdc64482e1325071d008c6ff

SHA256
e68738132fa3fb8f2c7c92d6cb6fe7e9ebb0056bcd655f91bb422e8b7d4faad2

SHA512
22989649b310fc24e300f08c7a9e726922c8509d959438c9d3e28bb14c24eb2dd912b73694c33a501ca3fe56a082883de85fd65324a9fcff359dc74733d2458c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f18c799390f018dd27b8edbb5478471b

SHA1
28439aeb408dd5c56e5f693d790ae3ef5331e11c

SHA256
428dd2e661e9fa42ccf97e757895daa860a167f5e26684a1465ec8062af306bc

SHA512
782c481b51e794dcd5dcaa62feed83ab5086dc452bc781bfef145de0445789fa6e330d8b665d214a55112fb46a536ed3cf5db54622374f2c8463558069c7502a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8ba0b30ca7874d51fc9ede9c56da269

SHA1
c9352a7d80f3bbc002c018577d1ec892984f553e

SHA256
690b6a5ee7af7b609362216c9eb3033c63c0297072cf9c5aca2f113bea6f542e

SHA512
95244aac40d3850326957a16710be072f144bbf2356b79b5ac29b2946f6ccbf97ed007b73234441f785d06a095cfed0619628c74a28511921c19756b38e3bf02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
267d5547868292622aef63937598522b

SHA1
0b11c4cb5421a76e7431ac119f75b33be9f90a60

SHA256
695b3f00d06d7af94354229f4ca811606ad6329bfeb11891349f7d81e4574a69

SHA512
e0ee5b03bf9be22d3e81d401d9ee6543d82c1600db3f21d76756d0fc19f64b4c7240a3d0d53d076a284143ad5a427e82340bcab189bc8c5936ea378e8aa71736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50fd8aeb17106f76e0482313d5b32e8c

SHA1
1eab2341c018b8322028ff971e8d15eaf3dc0158

SHA256
0bfc01de31a5e7b1447c2937fd6908c542b93e33d6941762c604deec4e236ef0

SHA512
396a294be88d0a1f48be9b2b6f362f695168fc4db3b2a3c6face0b86e3d3f4686bf53fdde9c22964eb056bfe9a85e133e8cfbc3795cae14b592c00428d5c531e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92dfe0a2d01bc98747ef02a7d2bd11a8

SHA1
33fd5df4f31e311da8ff6ac8e072183aad1926d6

SHA256
6e3bc9ccccbc067515d050dba6db18c93410e07b0665ee3457fddbb648548512

SHA512
6715b298e6bdf410fc02cfc41d598cdeb5e7cbb9c6a3f80d0cb007cf673e06a8ccd26f639ac4f33c10661a8e35d21ce83c9de922fa32d56b81f8ee1f7536bb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c13ddabefb3c85c22f2c1d74809c098

SHA1
53b63f950bd5c8e5b900e00591144a8775010e50

SHA256
e51653ee9f48531c9da39dc294284fb413888d81ddbdb37f265559b90959cc35

SHA512
25b1a4bd48c33f68cb3ef06abc7a8811ee68713649761da350b9fe62848f309a28e75238b761c1d79a4805121ad4b5bd6da1b7e8670f8452051dbd5412b67b0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f73bbfbb4cbfc3d8ad9ee6ac886dc3ce

SHA1
f20105f6624246419ede55afea2eee5a1c27e831

SHA256
e2f9aa189fd1c361c98404d3094dc44d23f7f886d9a352123908947042db8407

SHA512
7d2ddc21c97b5977011648b74391d651a1d03b4fce7c5c165a85c5f123d5fc47e8891545657093fa15077ebf5201616cad0e0350bb844b8d677edc90d7a0b50f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2006c3f80877e9d8b637bcb0997f1b

SHA1
eef81a44123da690ba0206523de7353365d0af93

SHA256
807c994a6a520f2e52bcf8d4d066a50a95533dd3b5c0d7b8bc639718ba128223

SHA512
2998a847f143337253fbcc0b7292e8e3ee2d3a884c1a09a1ef0125d01f7693be6702ec87e9476faf10ee714f25c2faa67f055b76b3bdff03f1a37587e08d3734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6912dc045d1536dcf7a38ac8dea1e9ec

SHA1
4d8403748a4a7a7867f18b00b9fad62b2aa20798

SHA256
0f66fed932d627c79824644dc8a386c11272773ab8c900c0fc53789c6ca060f0

SHA512
f83af9bac4fdc5e9df4cad86374dd6d130a3c5d8e83c398ef534ded017c78ad7c64ea647fed36304584b49839c35704cb48501ec2d1c254ec3734678d3cdf79b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a650f186956ed0c5965ab16d958aaf3f

SHA1
a6144ebbafe219b7d037e6831dd9a6387644b649

SHA256
ee5f98cb6726db4ba78c34ff84afdcbd9583edb0d8fffcafb663970ed09194ed

SHA512
452da6e8d911478881b70e474674d4fb399883ac8e961626bc5bc406c090186876cecbc6d646a9635682daa6b1217bc23511064cd8a1aa83df5119eb62cb5d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ccd8194d63c1774c9d62a6b162c1601

SHA1
3dafd82fd3e752826787945279cd8726e9808928

SHA256
bdb3c6dc06c890e6b2c1df6864392e2d5a500b410aabe72a3c1dea1b7f10b44a

SHA512
aa1f06d9e29f0cb42c973a523cfe8234a465c0baf5ea79088a69ea72b80ead732f9045c1862d589fb5ac313752631a8ae463c42a5c9fb61fdda5ec48d4895b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9032.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9123.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\wfmiedocaocs.exe

Filesize
424KB

MD5
41c9cf8f98d9cf11e0b101562876d404

SHA1
88a88e498b8e4b73e8585e7994ed519b9ace9610

SHA256
bedd09abc5eb323220f26eadbe1ede76373ebd6d8a84fd2884429760b0cd197a

SHA512
78c028c126351716c5460f391d810d5925f9ad36eb3a506b0e3d015bcef9b2a0ed9c3fbec9c3f81a5dc362edf64de5eb377da070712ac720d9ea6350da5af113

Download Submit
memory/2172-11-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2172-12-0x0000000000320000-0x00000000003A5000-memory.dmp

Filesize
532KB

Download
memory/2172-1-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2172-0-0x0000000000320000-0x00000000003A5000-memory.dmp

Filesize
532KB

Download
memory/2492-13-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2492-6479-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2492-16-0x0000000000500000-0x0000000000585000-memory.dmp

Filesize
532KB

Download
memory/2492-5991-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/2492-2638-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2492-5599-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2492-5985-0x0000000000500000-0x0000000000585000-memory.dmp

Filesize
532KB

Download
memory/2492-6018-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2908-5993-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download