teslacrypt | 84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_55ef5620d1205df70163818bf84688cd.exe
Size

336KB
MD5

55ef5620d1205df70163818bf84688cd
SHA1

d883ae424be4f1968797f5d1ef3d7968932ab650
SHA256

84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec
SHA512

82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd
SSDEEP

6144:0xy9nRqDo0RAua922DNcbCfFpHVKY8E4IvFBJ1KTBNqG:0w9noocAxxDNcbCdfH8E7vtw9Nq

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+hxfkp.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/E949658BDEDE9F45 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E949658BDEDE9F45 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E949658BDEDE9F45 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E949658BDEDE9F45 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/E949658BDEDE9F45 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E949658BDEDE9F45 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E949658BDEDE9F45 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E949658BDEDE9F45

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/E949658BDEDE9F45

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E949658BDEDE9F45

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E949658BDEDE9F45

http://xlowfznrg4wf7dli.ONION/E949658BDEDE9F45

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+hxfkp.html	atkqcweumaij.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	atkqcweumaij.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\qmfausxvgopb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\atkqcweumaij.exe\""	atkqcweumaij.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_RECoVERY_+hxfkp.txt	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_RECoVERY_+hxfkp.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_RECoVERY_+hxfkp.html	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	atkqcweumaij.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	atkqcweumaij.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_RECoVERY_+hxfkp.html	atkqcweumaij.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\atkqcweumaij.exe	VirusShare_55ef5620d1205df70163818bf84688cd.exe
File opened for modification	C:\Windows\atkqcweumaij.exe	VirusShare_55ef5620d1205df70163818bf84688cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e7fc3b39ef56e4fa60fe7a71555739900000000020000000000106600000001000020000000150b30e668c0c33b8e98f6f7f5010a6261e9c3e20243f355cee0fae25da8dd5f000000000e8000000002000020000000dd542f39cde1aaf75aea1ded06f45223930dcd59f0bb182e12874bb4e9941b382000000007e0fc6096c6f0367e51412d086660a40d46cb37d50d6193560d96d3d4df83a540000000a0e6eb38ece6c181b40bc6a71d54e6b1b84eca7705959490d833fdf9e018d4a028a45f0ada4d5ade25771655815502cbe63c16215e88bd397d87c51988119789	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424180505"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90db61c228bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDF3E0F1-271B-11EF-9E38-E60682B688C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e7fc3b39ef56e4fa60fe7a71555739900000000020000000000106600000001000020000000c8f04ad14325beb00ec53350197a66c7efc7e99d13cfd71b073144be3c926f2f000000000e8000000002000020000000c5d4ab8bb6c29239966a1304015dbf6a7a42eb6bf0f090c2caf8ba7e9b10537a90000000b8c30b08190022fe3590f30d37ae2ae855ab0828bd14f60a3d8c3106a26a8a5f2ef4bbde07a3f2745811844aeec688ebcbbcae5fc56874f50503fc751b35a4d6b2c6f949054270fa13871833477b52371d4cc03b5006a5fc7c30096dba5c8cbf15784a0b716e626a9c3de16202b6a86c766d06a28135fe6bc89f32374545ba6710f78ddd6cbdee4dd171345ef19238fa4000000014a297d002f6ed38ea560eaee42dbd79ad8e37134010cca71329a3cc6639816dcfa5984999f9fca04e0cf1244b95233ebc4204855ff98f9b2ae69549536d9a65	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1576	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe
2536	atkqcweumaij.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe
Token: SeDebugPrivilege	2536	atkqcweumaij.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeSecurityPrivilege	2416	WMIC.exe
Token: SeTakeOwnershipPrivilege	2416	WMIC.exe
Token: SeLoadDriverPrivilege	2416	WMIC.exe
Token: SeSystemProfilePrivilege	2416	WMIC.exe
Token: SeSystemtimePrivilege	2416	WMIC.exe
Token: SeProfSingleProcessPrivilege	2416	WMIC.exe
Token: SeIncBasePriorityPrivilege	2416	WMIC.exe
Token: SeCreatePagefilePrivilege	2416	WMIC.exe
Token: SeBackupPrivilege	2416	WMIC.exe
Token: SeRestorePrivilege	2416	WMIC.exe
Token: SeShutdownPrivilege	2416	WMIC.exe
Token: SeDebugPrivilege	2416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2416	WMIC.exe
Token: SeRemoteShutdownPrivilege	2416	WMIC.exe
Token: SeUndockPrivilege	2416	WMIC.exe
Token: SeManageVolumePrivilege	2416	WMIC.exe
Token: 33	2416	WMIC.exe
Token: 34	2416	WMIC.exe
Token: 35	2416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeSecurityPrivilege	2416	WMIC.exe
Token: SeTakeOwnershipPrivilege	2416	WMIC.exe
Token: SeLoadDriverPrivilege	2416	WMIC.exe
Token: SeSystemProfilePrivilege	2416	WMIC.exe
Token: SeSystemtimePrivilege	2416	WMIC.exe
Token: SeProfSingleProcessPrivilege	2416	WMIC.exe
Token: SeIncBasePriorityPrivilege	2416	WMIC.exe
Token: SeCreatePagefilePrivilege	2416	WMIC.exe
Token: SeBackupPrivilege	2416	WMIC.exe
Token: SeRestorePrivilege	2416	WMIC.exe
Token: SeShutdownPrivilege	2416	WMIC.exe
Token: SeDebugPrivilege	2416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2416	WMIC.exe
Token: SeRemoteShutdownPrivilege	2416	WMIC.exe
Token: SeUndockPrivilege	2416	WMIC.exe
Token: SeManageVolumePrivilege	2416	WMIC.exe
Token: 33	2416	WMIC.exe
Token: 34	2416	WMIC.exe
Token: 35	2416	WMIC.exe
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1624	iexplore.exe
1004	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1624	iexplore.exe
1624	iexplore.exe
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2536	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	28
PID 2160 wrote to memory of 2536	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	28
PID 2160 wrote to memory of 2536	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	28
PID 2160 wrote to memory of 2536	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	28
PID 2160 wrote to memory of 2644	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	29
PID 2160 wrote to memory of 2644	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	29
PID 2160 wrote to memory of 2644	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	29
PID 2160 wrote to memory of 2644	2160	VirusShare_55ef5620d1205df70163818bf84688cd.exe	29
PID 2536 wrote to memory of 2416	2536	atkqcweumaij.exe	31
PID 2536 wrote to memory of 2416	2536	atkqcweumaij.exe	31
PID 2536 wrote to memory of 2416	2536	atkqcweumaij.exe	31
PID 2536 wrote to memory of 2416	2536	atkqcweumaij.exe	31
PID 2536 wrote to memory of 1576	2536	atkqcweumaij.exe	38
PID 2536 wrote to memory of 1576	2536	atkqcweumaij.exe	38
PID 2536 wrote to memory of 1576	2536	atkqcweumaij.exe	38
PID 2536 wrote to memory of 1576	2536	atkqcweumaij.exe	38
PID 2536 wrote to memory of 1624	2536	atkqcweumaij.exe	39
PID 2536 wrote to memory of 1624	2536	atkqcweumaij.exe	39
PID 2536 wrote to memory of 1624	2536	atkqcweumaij.exe	39
PID 2536 wrote to memory of 1624	2536	atkqcweumaij.exe	39
PID 1624 wrote to memory of 2844	1624	iexplore.exe	40
PID 1624 wrote to memory of 2844	1624	iexplore.exe	40
PID 1624 wrote to memory of 2844	1624	iexplore.exe	40
PID 1624 wrote to memory of 2844	1624	iexplore.exe	40
PID 2536 wrote to memory of 2980	2536	atkqcweumaij.exe	42
PID 2536 wrote to memory of 2980	2536	atkqcweumaij.exe	42
PID 2536 wrote to memory of 2980	2536	atkqcweumaij.exe	42
PID 2536 wrote to memory of 2980	2536	atkqcweumaij.exe	42
PID 2536 wrote to memory of 952	2536	atkqcweumaij.exe	45
PID 2536 wrote to memory of 952	2536	atkqcweumaij.exe	45
PID 2536 wrote to memory of 952	2536	atkqcweumaij.exe	45
PID 2536 wrote to memory of 952	2536	atkqcweumaij.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	atkqcweumaij.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	atkqcweumaij.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_55ef5620d1205df70163818bf84688cd.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_55ef5620d1205df70163818bf84688cd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\atkqcweumaij.exe
  C:\Windows\atkqcweumaij.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2536
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1576
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ATKQCW~1.EXE
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+hxfkp.html

Filesize
11KB

MD5
4776f312fa22f37c3ab89dc1bbb86855

SHA1
898c2330c951544b37bbb98ece71ff8e46280f7e

SHA256
c808714de080daec00d393c11ce4d2e5e975ba9bdedc4b043ed708ac63449675

SHA512
223b9f5d6ba0823e3116e1c77e55de5b83df2b4a1894dce9e9a201180e00a3a4da1628a377a1930de3b7764883204c807bd146a8dab984a0dff23e3084019113

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+hxfkp.png

Filesize
63KB

MD5
690206a677d8235442846329f3f077eb

SHA1
cf68d208b34cf50fa4fcc9eeda875136ab7fc2a4

SHA256
2d637ec5abae551a84ef1341e7d50c632ee84cc38e61390bdce76391653ac151

SHA512
2c0739a6502ea736a5e1dcddee67865210d9d5fa8a9516d82d9fc266090095653f6eed230b59ff225c2f61694ae282051fe59320e0e8f7c592300091b0ff9c2d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+hxfkp.txt

Filesize
1KB

MD5
0c0c54b627e614a4183bac2337849ff4

SHA1
ec99ca4c60cb9f433976c308e5390794ad772854

SHA256
814f4b02651650582616adddace540b7421d197f5d6c6e8b34db0be69ca10944

SHA512
208e1dce0574c6291a2316a2735662b538a80c2986211c882b8babaaa5f55705cadfd480858d43b0bb005a0d647627d79291feb8f6b9db164b43bd3f956b7620

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e6e4c43ac408baa6eac253cb3fb57062

SHA1
568ab91334fc15bb853678126972d4812d735bb5

SHA256
8f6f51b9e042ba406dca6ba8401e4cbfcc35b9cf11c63583de42c6fa4ac8c4e7

SHA512
9536c7ff8197e9a653a84868397e109476caa22132b15e7717cc5e91343381a5ff5a1dc509f8fab82cea7d15e009a1ef0d676b5f34936857d70b40d12fcc3843

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
06b05f7c3fd34b72a198020daff2a610

SHA1
a534e2151a8e8dabe05a166fb95dae1257aff779

SHA256
148c4a37c8c1752443b9efad2810ca3c2c9b144e5a87b30a197af1b8c45383e5

SHA512
429ac082734b469a1368c41bb33263e36e6e04291b7b5e4796f00d87b5222b271e2c3bfff12501bbe4f76d80e9934b291da022ea5a4fa2de55a844b7f627624d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
4fb97d7efb5902f2ce1a4fc53b608e14

SHA1
586aea07c59c5a9b9e6b9c6bfa90be634ee26bf6

SHA256
df4597254b357ba938658c037150e741df032b2c33cbc6ff55ebee7e02134519

SHA512
17ec1604e78cca3a6576467eece41106793cd7791b41b7cde024a5c8fb5c9f3ec5ec9dc29ce68d6626d6cca9d61d39d4a87f1b446acd90c48a31c3828e83fa1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66b3f4660622d3f0be50d532f6f376ae

SHA1
49fff02a5657d27709dd0734e8819ec73945fb27

SHA256
0339ed370922b1cc27b0a71a5ae22cf15667af8df60b8b1fa642a5f33b725392

SHA512
7e59e74163ff02e99f6177bd5600cd31f123e75875b1acd513ec4b0067b0f932c3424b7376e8a1267aaa474dd4a03cdb28018891162eedca594e25669d169f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
638a338621eee4a9edef5b763fa45903

SHA1
7f5fe02ff1fa611e84ab66f686acdcfc584735e2

SHA256
9f3db744a3414126331eb6bb5f6833e0a0f2f79eaee7e773ef2daece942f9007

SHA512
c4dfcf6fd8f306854a92cf2903aafad5e5261d42187c2c45339915234b5851c3bf3f4320854742ef4ad5820b185b9ebc150645f5b10dd6615ae2cf4be44be81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30a1d41e8fb5d6a51fa8009d46de5f31

SHA1
b209424066e0d2a4d5a7341634a0c1127a3f2b90

SHA256
557929d7b1ec174edbea16271c00b6b54750a308438cccaa324fb7f3db30b873

SHA512
5690e52bbc69f45b39a5449b2a9a0e4035b99e1d35cf682ff134a7a44dbbbeb4c7136bcee4bdb584a98fbd7ee1c8311cd7efc7aa694e6ee9440eb5b99aadad0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b8b36f8421dcfdd345a6186359d597e

SHA1
4c58686360774af9a528ba5745ced0fc0d4c28a6

SHA256
2928165fc09f18c03929bb7405de8c7bf222b12a0ec2dbbd714a4154475ca757

SHA512
d6ca3dcd3cbc53f1990527613b32f633edc5bf5a09cf5a7953f7d7ff03ba3888aea7cf14a4710498b13c15a33cdc9692757dbd6bc56165201039a5ea752d7388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd4ee2ddd06b7cf1de4e0b95c02a4740

SHA1
36233f3f763f80370214a69498fc527b7b3904a1

SHA256
28ad5a4700aac04f935bc198b0e718ee2ebcc8b2e058ecab01d37a52994ce25e

SHA512
9ca396158f4de95f443a86c2becd17db107ce81ecff504b2319db5685bc0f0670f68decb603289e983cbb0dfde1f26c458b9609a69a34387898ef6036e42ee08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7bbcab32834982c51cc534aab999aad

SHA1
48d0d1c7adc17cc6f665a36ffe36b87bc57aece4

SHA256
e60f6c84fbff4838d3f0a7863d4f3dc5c4295f698302ead1445dc49866b8fcbf

SHA512
33ed27e68f17c38919cf0066e87c7ed260ff6410c0c372eca49408a39687d79eb2c4b6d03ff0753ab3ce0fdaf316ecf81385ef37820b74b3ee33f6ce3a9496f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0daebf37e7d81809ae237ddc0a68e16f

SHA1
e83f4eb8cef637240b30fbbbcca8b928a5ebaf24

SHA256
e121138442f12bda3727de6762877d9b66fa2c5db3033a9ca5a8c7d7badf77c9

SHA512
8477c413c0ba754627128dbd66c13c100f6dc547f010ce7e822de906489fc22d6c24975dddb949e965fc458cdbc8065b5d1031c27e1d88995c851620b90bd0c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1564ee426a8839d0851a7b5e338d83ba

SHA1
d16ddd0ab131bec49b9ccd0a9c5c5e4aec963421

SHA256
013d792f9d7eb6d42371ac88aa6936244c23d6d4aa5970f6cc3c3831af31316b

SHA512
6f38d402befe48e47e84b5edfe76c494d70f504866337ff2e6e0509abcf89ec090d9033cce290da2373777d87348b2b9d808ed17ce6bbab4b8a9581c647eaf56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20d72de1e446cba6a8b4899bfea73e82

SHA1
d6aaa0b5b894ac8500a17dd9f9048fcc61e137e9

SHA256
baccd1aa6e7fd4e8a909ac08ccb9bdb0e13d43a8f6e98573260a4633214c6ff4

SHA512
36233c602fd534b51b16d269b49837250f01da32077f6cb27453873eda39a8386d4c09557e3dfe2e8efbc14aa15f81b87a4f32bf946520f334492048be4fe00a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3880cac61a8e2a601d06b439ff4ea2cd

SHA1
e4a10c88fc2492e7127ef2472f5330908124a2ab

SHA256
e30f854256985b38935a3b8d7ac0d25a017167d246bee0c9692c03610b465092

SHA512
af2e5497d03c66ffe058fac9ce5058b3a418f10e71df108aff723fca709a9b9d796abd8837398d41ea32600c9bf847d01eca808e9239afa6e193508c28cefff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1530fc1c3abceda1bd8ae950cd506b25

SHA1
2a2a48d4bef521829dfaeeb1d1976a74044e36a4

SHA256
badd71d1edbdc3f9a577b89adb9aacfbcdb22a8e5c526625251e15e824b259f4

SHA512
c9f7c339d2ae3767d3fa89c1dd10a85b942977fa753127ef78b0c2a067cc6a7c2e01728e1a945facfc3fcaeb92f62e5a20c41f1dd2d684eb456b9091724daa0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
413e4452c71c4155e7ebe38a3bb0edab

SHA1
da5667269e9ae779fd1d6553cc275e7b4def7cbf

SHA256
3defee9280dae101784c6b570e4f6ae58befddd13b4ea5000df865574a262b06

SHA512
b9c59824a878162c7c4651763a3cb26ae1c3fb211a10f06b1bfd6cc9f82f20c6634f42a774d8e5ea374e822a351b8ddc8b8269ef31a480a9d8efd26c438f9b8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ead8612a4ac6f4fea5d27aad62e6dde0

SHA1
489d2f62efb6459fbeeaeee0357dfa8c89f13db0

SHA256
0e166c085c5253f6ec7a114a7dcf11ba090517ac4cd5371bdaeab33b48e9031f

SHA512
737b52b379c3914f9e6e767c22da418bfd9a0dddeef78284e8ee781ca4e04c03ef38b4fad4aa156f58f671370f1362c9a8090cfcad92bbb3ed349d78e6c9646a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ae1e71d4d32decc4135e9f71a01a612

SHA1
b0685e60230c07e0ab12a670ecd61240fae27cd9

SHA256
fcd8dd59f95734e925e339acad2962ea3651f3f75428caa680f6bece4ef06bab

SHA512
d28f959f449dc572da9635d446e284d3ea8896c89bec452d4160216368ed8a7f8d1d68dc9b7737b3c0f89469898aba37ce451c3927030ff44c0134c7e1bba5eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f57a9773fbf441c52821e149265ba73b

SHA1
bf6755fe1ae84dcf32e68a1c54f5039c725fff79

SHA256
47000560270990003deb37aa9f46566e04b8061e09cd2984f7020bf0a433881b

SHA512
3cc78d974efea5f8b04ac6b78a35308ee43dbc91170233c59e3b23e1f728fc27b1dff38a29fc20881a1d19915e1588ddb13ad287e3e6969e934548d49d5f9694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
600ba3f5b27b0f7af47ace755a53bcc3

SHA1
68878c5e3543b0a1874169c6aca389d0f49eac19

SHA256
16033fa7180001484172148a6d1beb951c0b88fce64a8a53703839f568754908

SHA512
8589284e47d01a97d0d2f991406645cc4379933080bbc11721bc69efb39838022f1eb6d87808db5c990e0ff7b782a37f2c4223bf9ddb0a020cefdb10f4c6b159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0eb60b47d56f4d64c107d8264f3c79b

SHA1
d4bd871dfbe023a97eaf5527e339ac3c8768fe3e

SHA256
3db16d74b5583e70ff18e8ea8c513c0840ac635a44f5fdb4a2ab2e31a7811d62

SHA512
d3c4f2553c113fa179642214419420b7b950887be327a2ee600e7f72882f4e2922ad656e6dab5d023ab7d500758d6965ccb1ff214635df16a24d58eeb76300e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40ea14d2c75ab958d64c9ae8a6f525bd

SHA1
8d1a765cd68af6a70c43e6d7a3e977962853a3cb

SHA256
a18394b0f459b1ff8b8862419565d4329600bff8ce8c27e33dbfd313f655177d

SHA512
3a2469f241eaae37da6d15b18930104d5e41fc70f8abe7d8552a81696dd88b8fedc530233db1ee0eaf8299a4e820eb85e9644971b3b3e8bdff98a129697b0ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33f771334e4f08aed6edc7dcb1086506

SHA1
10c642840d0b29b2a794a7a421f11f0d47f2ea51

SHA256
fe356773a1b374b08dc3ede9c700ee6b9e222ac89317bb8e9b0441a471575841

SHA512
6e28afbb4abeec83348e529bec8ff99d4a3aa7039369875da3bdd18f4269309872066e295d1030a7b4de296a33f0c199f0e4723bdb158e4d4c2e24c2a374f69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA21C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA2FD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\atkqcweumaij.exe

Filesize
336KB

MD5
55ef5620d1205df70163818bf84688cd

SHA1
d883ae424be4f1968797f5d1ef3d7968932ab650

SHA256
84b3cdcc6f4bf098bd8574f5137d6ce863c300e6e2a5512cd6744e6f167459ec

SHA512
82f7284808f2e513dac7d3de3cbd13e56699dfa37aa45e936c7b36a7a76ff42ace05d0acb75e454c495a50f0c2d7862114bd9ed23417f1698fc1eb9afcb4b2cd

Download Submit
memory/1004-5980-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2160-1-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2160-3-0x0000000002240000-0x00000000022C6000-memory.dmp

Filesize
536KB

Download
memory/2160-11-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-5236-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-5948-0x0000000000710000-0x0000000000796000-memory.dmp

Filesize
536KB

Download
memory/2536-2130-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-13-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-12-0x0000000000710000-0x0000000000796000-memory.dmp

Filesize
536KB

Download
memory/2536-5979-0x0000000002E90000-0x0000000002E92000-memory.dmp

Filesize
8KB

Download
memory/2536-6467-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2536-5982-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download