teslacrypt | 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_591c7f90216f596b849ef9562b8f155b.exe
Size

424KB
MD5

591c7f90216f596b849ef9562b8f155b
SHA1

f3c185a27c38214418daa50407c9964fd5281d95
SHA256

3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA512

31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
SSDEEP

12288:Jj6qMoki2//HuarKqen05/QexvmBG3zbblCJxfS6:JjPQ/HdQoq2fOR1

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+bocob.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5C4D747DFB2116 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5C4D747DFB2116 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D5C4D747DFB2116 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D5C4D747DFB2116 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5C4D747DFB2116 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5C4D747DFB2116 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D5C4D747DFB2116 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D5C4D747DFB2116

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D5C4D747DFB2116

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D5C4D747DFB2116

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D5C4D747DFB2116

http://xlowfznrg4wf7dli.ONION/D5C4D747DFB2116

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (431) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2656	cmd.exe

Drops startup file 3 IoCs

Processes:

sxkdimuynlah.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+bocob.html	sxkdimuynlah.exe

Executes dropped EXE 1 IoCs

Processes:

sxkdimuynlah.exe

pid	Process
2880	sxkdimuynlah.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sxkdimuynlah.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhhivuxkfvex = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\sxkdimuynlah.exe\""	sxkdimuynlah.exe

Drops file in Program Files directory 64 IoCs

Processes:

sxkdimuynlah.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Defender\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_RECoVERY_+bocob.html	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_RECoVERY_+bocob.txt	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_RECoVERY_+bocob.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png	sxkdimuynlah.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	sxkdimuynlah.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exe

description	ioc	Process
File created	C:\Windows\sxkdimuynlah.exe	VirusShare_591c7f90216f596b849ef9562b8f155b.exe
File opened for modification	C:\Windows\sxkdimuynlah.exe	VirusShare_591c7f90216f596b849ef9562b8f155b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000358f8db1c09d6a6f6793c52ecb0dc75137b4fca8ab769000ae33eceea09e5ab5000000000e800000000200002000000080e2fdb2ac4af5873e8a865baf7f74590b21ca00224edcdad5762615506fb96f20000000979d0a01f26f772dec908c96d555eb9ddcf9268c97f5d0d4f835de3192344c28400000000d13d3e8da3dce2649109fcc6a17cf581df7d0a13d431c6d6912c2c7d222010ee1784dca374acca30497988494e7817a02672dc9247fea7a91ce72953b6a84db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424181369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0D2EA81-271D-11EF-ACD5-4635F953E0C8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707d5dc52abbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000344a727d438b799c92dc793e02b396e200d89509d3593efc28105ef190f55220000000000e800000000200002000000056aa872bb7f0a9fa2eaeb7c4dedce67fb8998b66ecc94f3d9b00b257094663ca900000009195c9761a76063e5278b24d9efe035d89cdc65f51838d83c0a32be3d68eae20bbc38b1d68ef163f0aa45b80228f2a96f9f390be6bd4774d02960db795fe2938b7dab6cee14851bab5e78f1f185ac5e206cfbb908b0d801d5c08faeb8dd678c7f6e6a01224397325d3b9efdc603f001d66c68f08c66b2332b0207b059af78090c5e3b90b5922a279727891052ae962b740000000490ef7a8d68ba331cdccf3c2067f652c902432718064a076cbe7e94c412827cb371734cd2b16aa59d1ad981d24dde115a03b6ea9f8e4709b2ec036d04dd95f38	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1752	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sxkdimuynlah.exe

pid	Process
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe
2880	sxkdimuynlah.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exesxkdimuynlah.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe
Token: SeDebugPrivilege	2880	sxkdimuynlah.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemProfilePrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeProfSingleProcessPrivilege	2828	WMIC.exe
Token: SeIncBasePriorityPrivilege	2828	WMIC.exe
Token: SeCreatePagefilePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeDebugPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeRemoteShutdownPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 33	2828	WMIC.exe
Token: 34	2828	WMIC.exe
Token: 35	2828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemProfilePrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeProfSingleProcessPrivilege	2828	WMIC.exe
Token: SeIncBasePriorityPrivilege	2828	WMIC.exe
Token: SeCreatePagefilePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeDebugPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeRemoteShutdownPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 33	2828	WMIC.exe
Token: 34	2828	WMIC.exe
Token: 35	2828	WMIC.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemProfilePrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeProfSingleProcessPrivilege	2828	WMIC.exe
Token: SeIncBasePriorityPrivilege	2828	WMIC.exe
Token: SeCreatePagefilePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeDebugPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeRemoteShutdownPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 33	2828	WMIC.exe
Token: 34	2828	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
1812	iexplore.exe
840	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1812	iexplore.exe
1812	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_591c7f90216f596b849ef9562b8f155b.exesxkdimuynlah.exeiexplore.exe

description	pid	Process	procid_target
PID 2180 wrote to memory of 2880	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	29
PID 2180 wrote to memory of 2880	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	29
PID 2180 wrote to memory of 2880	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	29
PID 2180 wrote to memory of 2880	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	29
PID 2180 wrote to memory of 2656	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	30
PID 2180 wrote to memory of 2656	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	30
PID 2180 wrote to memory of 2656	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	30
PID 2180 wrote to memory of 2656	2180	VirusShare_591c7f90216f596b849ef9562b8f155b.exe	30
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	32
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	32
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	32
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	32
PID 2880 wrote to memory of 1752	2880	sxkdimuynlah.exe	38
PID 2880 wrote to memory of 1752	2880	sxkdimuynlah.exe	38
PID 2880 wrote to memory of 1752	2880	sxkdimuynlah.exe	38
PID 2880 wrote to memory of 1752	2880	sxkdimuynlah.exe	38
PID 2880 wrote to memory of 1812	2880	sxkdimuynlah.exe	39
PID 2880 wrote to memory of 1812	2880	sxkdimuynlah.exe	39
PID 2880 wrote to memory of 1812	2880	sxkdimuynlah.exe	39
PID 2880 wrote to memory of 1812	2880	sxkdimuynlah.exe	39
PID 1812 wrote to memory of 2220	1812	iexplore.exe	41
PID 1812 wrote to memory of 2220	1812	iexplore.exe	41
PID 1812 wrote to memory of 2220	1812	iexplore.exe	41
PID 1812 wrote to memory of 2220	1812	iexplore.exe	41
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	42
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	42
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	42
PID 2880 wrote to memory of 2828	2880	sxkdimuynlah.exe	42
PID 2880 wrote to memory of 1004	2880	sxkdimuynlah.exe	45
PID 2880 wrote to memory of 1004	2880	sxkdimuynlah.exe	45
PID 2880 wrote to memory of 1004	2880	sxkdimuynlah.exe	45
PID 2880 wrote to memory of 1004	2880	sxkdimuynlah.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

sxkdimuynlah.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sxkdimuynlah.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sxkdimuynlah.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_591c7f90216f596b849ef9562b8f155b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_591c7f90216f596b849ef9562b8f155b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\sxkdimuynlah.exe
  C:\Windows\sxkdimuynlah.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2880
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2220
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SXKDIM~1.EXE
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+bocob.html

Filesize
8KB

MD5
a43a714e7b148bb5f33b1587e830649d

SHA1
43c14bca4f29660ac782dd3c8f009effa1733c71

SHA256
7d322c7d28b6d86060aa3a2de3cce2c1ec1952ef98101e1cd8864e03dbc3b52b

SHA512
1dc8442d8ae2822aa53822021d2d1fe7009413fac432f48008a06535571557e158f3848e41b172d5f57bf4a651b21368a4dd65e9b945759d757533137f1291f3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+bocob.png

Filesize
65KB

MD5
4e5ac3ee999c08d40b1c05e6f63d86c0

SHA1
4fabf1b0d4e7955eea85c1f38089b995e73a3e62

SHA256
c149b24c7d8df8b2146c5008088b222d58b217facc0ec3c63cee8a77e48a5e0a

SHA512
f245a252e1751daa0e5a545b40f574efa3eb7835e0d0ed4f39a86f07fee23e16cdbc404d4e9ed24882fcc80faf0984fc0acb2966085ab58b1d46069e53e0860e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+bocob.txt

Filesize
1KB

MD5
550e8ae49f6f962cb2569dbfadf1cde6

SHA1
7a92e215eb4988bb8e74f41f01f3455841a5537e

SHA256
c1244dbb1e4d50584acb99ae14bf4383091cf09f5cb4b7a2e674c362758f8b6e

SHA512
ddb6768a6166bb416cdf4364845e75fad177d8b2fb1e6fb25a093f1994a945f1584083675577abc71fc7f5c7391539570b32d4c146ea88d4620cf29e4e43c85b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
1973a391f7f8b746e7403ec29b2f6c98

SHA1
87a75e6ce62728583547fab6c0b5ca66c9bf4044

SHA256
d856f3651bf6cd8a236155aff550f2b253f52ee3444a568389b4080d2ac47ccb

SHA512
1e5f1890dee1b5d4568928c359ca3971f9962f84000ce2d981887985ff2c0ddc636d136acc6492906ec71983a9eb245d2811d6cbf0c863fc8d0f6a6c84eaff46

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
1023d3ed615fce73b9a18f25957c5fd1

SHA1
88f8fed07183abe746cce4344c5ee7a28871322b

SHA256
7f859df1dfeebb9ad9a7e043970da7b61022cdef217559a01b3b53bb55ae6d2f

SHA512
eaba074ee8a495a7f6025d00dd1bf4f9b5e3184111d1efcc9d3f842931ec69a03f3f44aa5ba947c55b57063a83d306764f56517131e159cda519e8014066b343

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
d08cf4c2ec7050c747d0a58a3283e8dc

SHA1
88dae36bc827b35f6e1bda5a30e5720c14fdadc1

SHA256
8f9085453c609b16ad35fabaacd9014270f22fec9a747a55095197e0863b0e77

SHA512
bd4c8cedf6abbfc92c0801ca98d164781ef5bd9968fed1923bca60ce308871b6e1be59849f418743d44bef81d9ce4dc7a41211d12153d78a6d41dc8653de3e47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3154d0d6db19363fd2243697deb3276a

SHA1
765cba5ff7f264fecbe0b663b704c742fe7cc3f2

SHA256
6b170f24f212c9bb7ea0043a12de23a415d9de9dbfa97b44d22c9e083dcc2759

SHA512
76c300b2bf906e8e92d044a2985ca48c4e068cee192b20d4f18c30636bd6df8b003bb8e60577347fc9dabe276c5753f4d3b4b301506e1b0b8054ef40eb38f5c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
753a477c10c317edfcfbe2f5eabb357d

SHA1
d356bcd14792baa407860113a981d43806fdeb4f

SHA256
e806c5b1c07ab3001cac21bb729733b521561428c7b96a97b78b8a9d8054a255

SHA512
4a1ab0c9f11c0d5b1d8340b9bde909e01169015e4be13545d3193e04e010f7aa346051cde806b0258f30b46342577bbea2bbcbcedb57bab36946395d3153154c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1417a685539d112992e3b0a99cbe5ef

SHA1
51fed92dfb3fc20e2c912baee115b4b8d28cf96c

SHA256
b7891008dde8291af59429761cefcb7f99fbdcbf6385624cca7b3a59a229ab4a

SHA512
a08a371c2273383b420e3384183086271a779caca1d6ecebbfee173f2f50bc39d41d12294c66c8bcc2e8d78632cd052cb4c63041c1b777df4f309e0d43afd84b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51254af38c801734902506d03d6c84dd

SHA1
14eb3abae35b9f95a95228190a6148bd7ee6fd2b

SHA256
63fba4dadaa71a59f2c3f8cffb6814a0d0c5771321e5a62b726d78163cf6ce59

SHA512
5c24cf9c4e46bae69a6ab44496dcf720a92d8b52c8dc6eca7946359d7da16c01d1d25c0e563a4899eac7fb871f694c6abe23ab7b8237a7e1e01e0e9bf3a283b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52b088e4d6efd96a27d272a7c0795ecf

SHA1
438ad3bcd7b91d69ab4aa315b48daf66e64878da

SHA256
a3b914de01ef4c35b274656db20a5b17abad50f4dc82153a92abb24dc53725f0

SHA512
829d527299bf0f6ccbf225b05d43946cb923c6cbe7d71e6bc707f9179599102d4ce3ac8a1030fa429cca23e92980f1937e46742bbc7088993e45ec6cced75fb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12afa1c86ed814a0e947c3b15dda5cc1

SHA1
cb7a319f9c5f8cc2f8eb12b519ccd3e021d36de6

SHA256
7d81636b84dab1c3e3d7e19711871bd3c060a1828ddfec264d4de3bb4d67fa35

SHA512
07204dd08c6b3dcb401ccc4b96c2c0d28e6c02c517a14f0beacd38f3f0a742e3784055621d68c686511b332c2512d5ad4a38329044b72fe1b6e6c2ff79e2cef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e9fc3adf87b255a656d3a519e6de4b

SHA1
2dce038138eba4a2ead64e54ea20c0d170329ebf

SHA256
c956eda675efd9f3516ceadb01229bba6fc5a0f7399d6be932180d272c266bfd

SHA512
cd8c410c448f1a3ff811defb3e506d8000b3fc08f7dd2048cdb830d8fdb2f03ef38070546a3f1cd58915aa0f391f69117849508ff3fdab0f0eef189637fcfa7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fde2f36ca287f12e849c6fef9eed349

SHA1
5416c8cc8e33d9fd7390de1d2c7278502d821a31

SHA256
5c1cf8b26a608c62067bbe199d59bbd90e6a79559eba9e145d9252c7e914ab9f

SHA512
1e262dfbe82c1a288b721cc8ee659c131f643d17c0ec9f1f278c574ed343a2711844b57241611dc9041a79ae4eca39d19340a3aeb09db5c3b55cd64e51d71f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f1dcaf982736662fd2aa185d12b29ec

SHA1
cb83ef44f5581d01fcf7d464792556446d81ef8d

SHA256
c7386e44fcf80688121f5c180893602ab067b907287303be173759375323a115

SHA512
708232a9bfe4752481fee52079949e75abfde0d1a7323006fdfd7e017b017f178fd8a2eca7d44a125854cf47782c9eb8ec7ddad56ce96b56037f6190147c380b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c1d0e4eb9a0affd73966ce2c282dab2

SHA1
d6a24263b74d7cf8bbe5c289da11e0c96e4aeb60

SHA256
d45ea0199633d5d61e484751379fce68d726f8b243c8015c3f0363ce62c3e045

SHA512
fa0153b19abb340c1746e76b9840a548edd09cc19b39d39bc213c49986f9a83f4445d4631dd87679ba6dca76544fae0d8ea81650f6722b1baf26ccaa7c412f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3526b9a94423a671cd339c1d3f46632a

SHA1
031b200c15340794a67b7da8a79ca8141ff55de8

SHA256
4740f406775dd708f1cc415d67cd12ba665cfefaa02f6d13083f4e892ac4bade

SHA512
2975353fe488ccfd2afa129402319c2cf50468f7ff993ede7d038955196997a84365244c8cda4ed53a05e11908dd7f9f71aef71215a5aa487fbc236f928b64d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf2d517507e397896255281fec05fe95

SHA1
13e1a8209695a95579a6ae00a67c67a7bf213609

SHA256
0b2a27bb593b1fd91c84b22d9a7e4e1151d2fd2ae7f14ac8d8de5570686ec91a

SHA512
960c32c90776072bbbad7445b46f3f7934395874e9b8e5e28bc10c8ff776ac5d63d414127539934c2182860b0fac1a5037635e5526c17a64faf4546b5247ed2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d40ceb6a8b7d05ff6d76d2d81c4c148d

SHA1
dfc272f39aad6e7cd930fc3985c1094bf1158c90

SHA256
342308cd700ad2a295194ea38010382a2ae11e92ae3d47be60b0a44a496408f3

SHA512
881283c6e72d710709201efd5f59d55d027a901afcb90be58059d000c0bdd280c5220e5841a226de551418f9f6ce13ad8fc4934aa1a5dd37832e0efc5c1af321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
556b5114911fab6b0def2e90100ddc0f

SHA1
8119001d7cc783adf03032135bc558c9bc418861

SHA256
09deb9ed17ad3a911540d51528fcb37ddcdcbf36d358afcb415f56d7a96be25e

SHA512
54013f7b0708e0103797b3215604447e791066bddd5bd88a29714a1b9393f049810442423e9e76881799c7790fbf2828079ef100fd886687222f38f999f69186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daed6fa4d59db6f35edcd89612f339c2

SHA1
652ea68c70d3168bd9f29e0916f251e90483cca3

SHA256
5f4b43cd543e7c6449af2108608d85a03a11402549b776a03a7a0c5d586b551c

SHA512
8268f56f5059f33fd9e776825c618a36962bd5ad80c8710330ee9b27603ab62340dfdd90dc9896f055b501c3ad201914ca888bf4135cfbe86849fb9db125cb61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d93de3fcd975752526a077a48c95ea54

SHA1
f43b10d8d8e0b3f9b62e7191ca098f3509c146b7

SHA256
f02d899a0cfc574f19082f858ba2728a3482a12219200937576cb4f5d3d50632

SHA512
2e93693ea9236c2a1062d5b99a295d23c959003d8ba0d35fc8f21976b11130fc1bb8c7d2845cac37d9a8764cacfef725a5bd717a0941bd87d1a009c14e31c03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb46f4c1dc78e162758db896bf607a8

SHA1
9be2f19f79b1f952e18cbb958bcb8d59dff72b3f

SHA256
03073e837e387ad03861421238c8b3413f45974efc9cde0646f156819b8d9ff6

SHA512
cf693656f63f5d1f6473fbd1bb049ca3598a8022e1c2fea7120ba230f99d7ae981acd56998c8249d2a18a0d6d7cafe3388372951f3e5516c098fd0c1a9f075d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa7f0b3cac5814e923874ca987ad75c

SHA1
98a6cdd8c91ff5a8cd42953175f82188d95be659

SHA256
b53d606b058a13ef2b94756fbbd08930231820702066dc3c2523d11cdbc766ac

SHA512
5c55de1671e6800a3adcf6b431e67ba36e417732427d3559b4785ef10035c26253cd95303ae46896b7f50629fe955bfdfece6d80301a18e944601d35b72603cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab981D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab989C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98C1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\sxkdimuynlah.exe

Filesize
424KB

MD5
591c7f90216f596b849ef9562b8f155b

SHA1
f3c185a27c38214418daa50407c9964fd5281d95

SHA256
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4

SHA512
31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f

Download Submit
memory/840-6051-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2180-12-0x0000000002200000-0x0000000002284000-memory.dmp

Filesize
528KB

Download
memory/2180-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2180-0-0x0000000002200000-0x0000000002284000-memory.dmp

Filesize
528KB

Download
memory/2180-11-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2880-6050-0x0000000002FB0000-0x0000000002FB2000-memory.dmp

Filesize
8KB

Download
memory/2880-6298-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2880-14-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2880-16-0x0000000000500000-0x0000000000584000-memory.dmp

Filesize
528KB

Download
memory/2880-1569-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2880-5521-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2880-6054-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download