3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94

Analysis

max time kernel
130s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
Size

608KB
MD5

6a1dd1d327f60aee8509df877c8dc38c
SHA1

a2246029749e47a2532b016f80f5132f431e712f
SHA256

3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94
SHA512

c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3
SSDEEP

12288:Ax5WAOBdN/sM6Bn6fKzh1N4mZSZjCQm+OHAp3T2FWdP8CQm+OHAp3T2F99V:OsAOBL/sM6Bn6fKzh1N4mZSbF3HdPmFe

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+ilpct.TXT

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/6AE2F11A264784A1 2. http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/6AE2F11A264784A1 3. http://nn54djhfnrnm4dnjnerfsd.replylaten.at/6AE2F11A264784A1 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/6AE2F11A264784A1 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/6AE2F11A264784A1 http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/6AE2F11A264784A1 http://nn54djhfnrnm4dnjnerfsd.replylaten.at/6AE2F11A264784A1 !!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/6AE2F11A264784A1 !!! Your personal identification ID: 6AE2F11A264784A1

URLs

http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/6AE2F11A264784A1

http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/6AE2F11A264784A1

http://nn54djhfnrnm4dnjnerfsd.replylaten.at/6AE2F11A264784A1

http://fwgrhsao3aoml7ej.onion/6AE2F11A264784A1

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2552 cmd.exe

pid	process
2552	cmd.exe

Drops startup file 3 IoCs

Processes:

ktuxobpsj.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RECOVER+ilpct.HTM	ktuxobpsj.exe

Executes dropped EXE 4 IoCs

Processes:

ktuxobpsj.exektuxobpsj.exeohxaf.exepeeop.exe

pid process

1968 ktuxobpsj.exe
2672 ktuxobpsj.exe
2484 ohxaf.exe
2364 peeop.exe
Loads dropped DLL 2 IoCs

Processes:

ktuxobpsj.exe

pid process

2672 ktuxobpsj.exe
2672 ktuxobpsj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1968	ktuxobpsj.exe
2672	ktuxobpsj.exe
2484	ohxaf.exe
2364	peeop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ktuxobpsj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\addon_v57 = "C:\\Windows\\ktuxobpsj.exe"	ktuxobpsj.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exektuxobpsj.exe

description	pid	process	target process
PID 2328 set thread context of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 1968 set thread context of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe

Drops file in Program Files directory 64 IoCs

Processes:

ktuxobpsj.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	ktuxobpsj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	ktuxobpsj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\Google\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	ktuxobpsj.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	ktuxobpsj.exe
File opened for modification	C:\Program Files\MSBuild\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\RECOVER+ilpct.TXT	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RECOVER+ilpct.PNG	ktuxobpsj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\RECOVER+ilpct.HTM	ktuxobpsj.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\RECOVER+ilpct.PNG	ktuxobpsj.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe

description	ioc	process
File created	C:\Windows\ktuxobpsj.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
File opened for modification	C:\Windows\ktuxobpsj.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2804 vssadmin.exe
2260 vssadmin.exe

pid	process
2804	vssadmin.exe
2260	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000030382b7c031650438220e230e105c98f00000000020000000000106600000001000020000000bbb67ddddbbec01841f4a3b2d8d7d97b409c67ba47d19978b372ae00c16a5039000000000e8000000002000020000000d9676515b44125e6af79e3f0ad3168e5ace9f358ac2c77aee26f9d40624a989720000000bf4def1ce773bbfeb1d3d2d7dc897cd3289df26b2b0931ee802a615a4393715d400000001ed6b2833e700284e7521bfcdf56b0563c334ec0aa60f87326ead665dcad9afde9566b0c273d697f3f1ec75ee071f697490fadaf416f73bcd203b24b1f20fb62	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000030382b7c031650438220e230e105c98f00000000020000000000106600000001000020000000350f4872085691a2108b7df7cadc1dbca643d28874df6245c5f00ce0007ff44c000000000e8000000002000020000000a279389665dbf82cea259029fe95e4a1c23d330fa0c9230068976f94a71106b1900000006937ca73f7982b1f6fb83aa2af90933564727ca366761fe202606445d6437703413f23434018c546fcdda9428ae2318a9379d87f6dbe185b133412a2afd2ac0bed8c34cca6771f1c5fb333290ac1bc1e2b8e1fd22abd759d58810d2523d0a2ce615d20624e2d61d01819a3ba27b11cf7fae24af45961c2682a9395eee7907ce20e90c51c2cc994c685e90861302ba64d40000000230a6ed9c0ed732da13a93e3efd31cd6dbb0f8210f94863f7e9130dfa9f19dc536c303e1bb413d5045f0b4df13605c4e3a1fc4d35696105fb9609eaae7c55d2e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20125ef32abbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1EE42101-271E-11EF-82E1-DE62917EBCA6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

932 NOTEPAD.EXE

pid	process
932	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ktuxobpsj.exe

pid	process
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe
2672	ktuxobpsj.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exektuxobpsj.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
Token: SeDebugPrivilege	2672	ktuxobpsj.exe
Token: SeBackupPrivilege	1844	vssvc.exe
Token: SeRestorePrivilege	1844	vssvc.exe
Token: SeAuditPrivilege	1844	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1732 iexplore.exe
2908 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exektuxobpsj.exeiexplore.exeIEXPLORE.EXE

pid process

2328 VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
1968 ktuxobpsj.exe
1732 iexplore.exe
1732 iexplore.exe
3060 IEXPLORE.EXE
3060 IEXPLORE.EXE

pid	process
1732	iexplore.exe
2908	DllHost.exe

pid	process
2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
1968	ktuxobpsj.exe
1732	iexplore.exe
1732	iexplore.exe
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exeVirusShare_6a1dd1d327f60aee8509df877c8dc38c.exektuxobpsj.exektuxobpsj.exeohxaf.exeiexplore.exepeeop.exe

description	pid	process	target process
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2328 wrote to memory of 2616	2328	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
PID 2616 wrote to memory of 1968	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	ktuxobpsj.exe
PID 2616 wrote to memory of 1968	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	ktuxobpsj.exe
PID 2616 wrote to memory of 1968	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	ktuxobpsj.exe
PID 2616 wrote to memory of 1968	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	ktuxobpsj.exe
PID 2616 wrote to memory of 2552	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	cmd.exe
PID 2616 wrote to memory of 2552	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	cmd.exe
PID 2616 wrote to memory of 2552	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	cmd.exe
PID 2616 wrote to memory of 2552	2616	VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe	cmd.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 1968 wrote to memory of 2672	1968	ktuxobpsj.exe	ktuxobpsj.exe
PID 2672 wrote to memory of 2484	2672	ktuxobpsj.exe	ohxaf.exe
PID 2672 wrote to memory of 2484	2672	ktuxobpsj.exe	ohxaf.exe
PID 2672 wrote to memory of 2484	2672	ktuxobpsj.exe	ohxaf.exe
PID 2672 wrote to memory of 2484	2672	ktuxobpsj.exe	ohxaf.exe
PID 2484 wrote to memory of 2804	2484	ohxaf.exe	vssadmin.exe
PID 2484 wrote to memory of 2804	2484	ohxaf.exe	vssadmin.exe
PID 2484 wrote to memory of 2804	2484	ohxaf.exe	vssadmin.exe
PID 2484 wrote to memory of 2804	2484	ohxaf.exe	vssadmin.exe
PID 2672 wrote to memory of 932	2672	ktuxobpsj.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 932	2672	ktuxobpsj.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 932	2672	ktuxobpsj.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 932	2672	ktuxobpsj.exe	NOTEPAD.EXE
PID 2672 wrote to memory of 1732	2672	ktuxobpsj.exe	iexplore.exe
PID 2672 wrote to memory of 1732	2672	ktuxobpsj.exe	iexplore.exe
PID 2672 wrote to memory of 1732	2672	ktuxobpsj.exe	iexplore.exe
PID 2672 wrote to memory of 1732	2672	ktuxobpsj.exe	iexplore.exe
PID 1732 wrote to memory of 3060	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 3060	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 3060	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 3060	1732	iexplore.exe	IEXPLORE.EXE
PID 2672 wrote to memory of 2364	2672	ktuxobpsj.exe	peeop.exe
PID 2672 wrote to memory of 2364	2672	ktuxobpsj.exe	peeop.exe
PID 2672 wrote to memory of 2364	2672	ktuxobpsj.exe	peeop.exe
PID 2672 wrote to memory of 2364	2672	ktuxobpsj.exe	peeop.exe
PID 2364 wrote to memory of 2260	2364	peeop.exe	vssadmin.exe
PID 2364 wrote to memory of 2260	2364	peeop.exe	vssadmin.exe
PID 2364 wrote to memory of 2260	2364	peeop.exe	vssadmin.exe
PID 2364 wrote to memory of 2260	2364	peeop.exe	vssadmin.exe
PID 2672 wrote to memory of 800	2672	ktuxobpsj.exe	cmd.exe
PID 2672 wrote to memory of 800	2672	ktuxobpsj.exe	cmd.exe
PID 2672 wrote to memory of 800	2672	ktuxobpsj.exe	cmd.exe
PID 2672 wrote to memory of 800	2672	ktuxobpsj.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_6a1dd1d327f60aee8509df877c8dc38c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\ktuxobpsj.exe
    C:\Windows\ktuxobpsj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\ktuxobpsj.exe
      C:\Windows\ktuxobpsj.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\Documents\ohxaf.exe
        
        C:\Users\Admin\Documents\ohxaf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2804
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:932
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3060
    - - C:\Users\Admin\Documents\peeop.exe
        
        C:\Users\Admin\Documents\peeop.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KTUXOB~1.EXE
        5⤵
        
        PID:800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+ilpct.HTM

Filesize
6KB

MD5
c589c3b61096a2780762dfef3063e9d2

SHA1
e3f85ceb47ecfa7bdfe934a6c37f00e815a8e218

SHA256
757b67ca99c8b0bab2093734411822605cbb5430223a1f52de5256824eb17f9d

SHA512
794ba837d58d00cdccbad6ca2d9342e4d00bc9ce4aaf686081406e5f3eae4e4682eab48063241024158b97fa95bd12c155c91f6f38fd2500280482dd96d430e3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+ilpct.PNG

Filesize
66KB

MD5
b0b26809b8396cdb5156110520f77cca

SHA1
b46ec8c60132df2c1a2eb72fd751af818128b3ba

SHA256
6a9aaf2f0ed96c749d60daadc14fe07c67c45ef2282388ea94bb778a13b071de

SHA512
ca7785877bc7aa8153d527abb00b094c808378a20d11538e114c420957a29b277c66c904c606c24873a14c1930ad577ba120f259ed27442d2b998fb4c47ca617

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVER+ilpct.TXT

Filesize
2KB

MD5
c9c2d2b3a5843dc9987aa3cb2a6a2564

SHA1
10cf191cd11b6877b1f62b72d49d16af1bb6cd65

SHA256
c90a1b6450521a21a3a8f8d7940c21adc1859137ecb28c81c5f6a061f3379c69

SHA512
d0fdcb59231d9075160a82e255609d44ece91799fd03d8755a6f8433c3f2e2a0e7d8dca1155b0aebdd86b769c1201ce0f06b7906718f47ad7eaf0571f60bb28d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
fbd13096b94597b7dc8ebc151c579699

SHA1
12fffa009dc3092352206e11d21ecbb03e08ddd7

SHA256
eda7e62e36a3bb5942d19d36ed84c3bee8dff2ba9ece49ef1d00b0c0c272e5f1

SHA512
7cd886ee6b36a1c715110b9dcccb3840b9d6794a1b4b430a2d93afe4b2157131180ca23a5ed395287e33ac8d4c07df13d01e4564f27800a35b45e90b7c73e9a6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
897aeef33157d0816ede6881c0683f14

SHA1
7a32bd21757c164664c9421fff75d536273c6881

SHA256
f7cc0a5c9c10c4cddc90330f6aa6a4a166e724c7beb18647da3eb70e2e4805ae

SHA512
c42ea5a7be35eaf2d1e97888b3b84ee267294d7766884d3fe6504a27e15da6e79d642a84c1bc73d7d24c705f7d617008ce1fba8ecd9f46511d85e6b7d563ca97

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
9ed8c39d13ae11aa395ef60766e06e4b

SHA1
ce35ad175f16f8829bc5fa6b9fa5699e120962c4

SHA256
07f7ebd1ebf03b5faba523431c2fa81b23987a2268457d25c0ddc7cfaf05118c

SHA512
0280b8a15795a7c816a3db7d287bda2c158aca76ebb926853b9e809ee119f8c5941521f5de11803dc8ba15e87f35bb03c2d9272c43f1f6d516ca719f98631f17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5acb04618005b6a2199d343d7f5291de

SHA1
23f0597384b405c9b0014b3c1b0b4b40589d242b

SHA256
7d7e06e925a5548760ac15ee48751a0886a5cab52d844dd584d5253126e35467

SHA512
7c6021dcf87298cf92fc26eb4028ad5297638fa7e6f5baaa6401a943020a96698d4548de3c1b04a8509ffec079cb347780dfe779fb4de92db80364f5621d36a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
528fc1552decc08df17dfc52be84c27f

SHA1
6275b6f68249fe5400adaee22b287e76c9ec61e7

SHA256
1beab49784935c9e8ce7d443892bcd6888aa6b431c5477125d480e8d0930cbcb

SHA512
43a93c3f1df9ebe445cf33a14b1363c09f568552908ec64316c5be28d20fb4ae7cd108f84fb53adc9a2e7f6c4fe4e8bd899397f6dda8991d9c7763bbd45de526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
667504836b4a8284e71a7d2bf2353956

SHA1
9f8d33f6544c354be906ccfd2df4e701107a7e16

SHA256
295d660e1db98c94988b932fb69226175e0b0912b58df10cdfe5d3f9dd110778

SHA512
bf39662c8a44c71c151f9a7e2fdf4d8599dd612d667a93cd9cb433cc228a6260d5db0a71902af024e3beab068edbe6b966f4705b2bb89fc02703152cb137fea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15e0d5cfe4d59e6287c207a2bf6a3f5b

SHA1
0c6286b80c6676d1c5d89fed2dd992a773fbb293

SHA256
2afb6132def1e07476ae0026e6ee4a82d189bd3f74d8031fb6539c0cf5eaca8c

SHA512
acee65a7f549903b18812b7f3ccfa4a86847b8c437a801bf8c03673004efafb61f2656ab7a38468cf5d841ce0aab0d5569f7e0bd36bed34b3f18de8c1bf67967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
743ba07e05acd4fc0290f2016f369011

SHA1
7a57789dafe7130f871c25735c6bdc0252022305

SHA256
7dcccc18b71ddf3159955e5f40efeb5395a5fd7b4c4b5791a77354e7fc7022fe

SHA512
48c9b86704338c9d0cf9e4ed9c1f87a4a42d783a75a1fc566fdf54cef4ab9ff1977d8879f1ea08bfea157755eed1670355c340398928d5e237a0ef7a9d0725d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da5dec31511a1b0edeb97190f09004ae

SHA1
2fba479742791155d6b056d33a7239812aad3fa4

SHA256
bb34de8779a22c610c4cb23cc7795148ab31b965c249b50ea6b76d90c83fe6ff

SHA512
ba244404fb911952ea4ac1b3d2b4db89e7146b333b515413c36b95aa32929c6079c9501cc17a79fa0220fdfc6fddb364cdc3f537954811adf55727b592cd1c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fe10cd913fa22308e783c7dd9484557

SHA1
189113156392db5c80ff0062ede9f44798dad26d

SHA256
d842b8140b79e587b9cb3abaf0e7476c748f056a5d6691283e3b5476d2cb3295

SHA512
43118fbb4dcda4eae29b816965cf771a8ff1552515cba1cea9a744010bd01c5616b2f7ed77c5e38e03d739aef5e00e7106ba9b4b1784fe7b811671d803efb00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb571c2a0712114016699a410875afd0

SHA1
2195639e1acea0a635b90e5b587dc4eb00cc40c5

SHA256
a9806b5f2c936dc8d190f0982a0885a3c3a0dc715272772092d171717f8e02a3

SHA512
a4874a29a1d522f322bc4903d5e29e8b45c33f666616eae2c486f0d2ac82e9f365429cc53c261a372b82ece68292ca077434e31a1f90dce6a95d3a7c66bfccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8DFE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EE1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ktuxobpsj.exe

Filesize
608KB

MD5
6a1dd1d327f60aee8509df877c8dc38c

SHA1
a2246029749e47a2532b016f80f5132f431e712f

SHA256
3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94

SHA512
c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3

Download Submit
\Users\Admin\Documents\ohxaf.exe

Filesize
3KB

MD5
9dfc75037c8deccc2f1840b249b17750

SHA1
ee37e409cfe2b124e63f98f1797aec0330204b82

SHA256
b5680fd682b7f64e577492c097c825e4a5a00baa82a8668f478640c5f8918da1

SHA512
25e9f3546af040f3cf782b4d6c511517ac0c95cfff8b3afec407c5917427f3129c92495f95873fb67ad928a9c7ef234508ecc9ffd8835da260d8fd1e64ead16e

Download Submit
memory/1968-30-0x0000000000400000-0x00000000007BF000-memory.dmp

Filesize
3.7MB

Download
memory/1968-50-0x0000000000400000-0x00000000007BF000-memory.dmp

Filesize
3.7MB

Download
memory/2328-0-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2328-17-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2328-1-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2616-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-29-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2616-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-4545-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-6024-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-6022-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-6021-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-6012-0x0000000003E90000-0x0000000003E92000-memory.dmp

Filesize
8KB

Download
memory/2672-6006-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-766-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-1850-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-49-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2672-59-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2908-6013-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download