teslacrypt | 65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
Size

360KB
MD5

6e1521accd328e43641c8c71ebbde64c
SHA1

7a82cfbb067c0b189dc1fa10e916fe763a5e8356
SHA256

65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61
SHA512

827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2
SSDEEP

6144:z6qgoL9xGn4FfcPhe6szbYKMGFtOf7ipZz/aYIZC3FqTzELSyH5vuNAvwu:h9xGbKMAIf7i7vF3FqnEpvmAvB

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+udpch.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DDC34210EBC7223 2. http://tes543berda73i48fsdfsd.keratadze.at/DDC34210EBC7223 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DDC34210EBC7223 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/DDC34210EBC7223 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DDC34210EBC7223 http://tes543berda73i48fsdfsd.keratadze.at/DDC34210EBC7223 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DDC34210EBC7223 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/DDC34210EBC7223

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DDC34210EBC7223

http://tes543berda73i48fsdfsd.keratadze.at/DDC34210EBC7223

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DDC34210EBC7223

http://xlowfznrg4wf7dli.ONION/DDC34210EBC7223

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2544 cmd.exe

pid	process
2544	cmd.exe

Drops startup file 3 IoCs

Processes:

xrnlxbsxkdim.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe

Executes dropped EXE 1 IoCs

Processes:

xrnlxbsxkdim.exe

pid process

2724 xrnlxbsxkdim.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xrnlxbsxkdim.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ojhywytgvhfs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\xrnlxbsxkdim.exe\""	xrnlxbsxkdim.exe

Drops file in Program Files directory 64 IoCs

Processes:

xrnlxbsxkdim.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\PopReceive.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\_RECOVERY_+udpch.html	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_RECOVERY_+udpch.png	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	xrnlxbsxkdim.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_RECOVERY_+udpch.txt	xrnlxbsxkdim.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exe

description	ioc	process
File created	C:\Windows\xrnlxbsxkdim.exe	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
File opened for modification	C:\Windows\xrnlxbsxkdim.exe	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424181393"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF1064B1-271D-11EF-A339-D22A4FF6EED8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007599b79a6660742bf8ade3842ce07a900000000020000000000106600000001000020000000a7495874b7a5aac7426e9e999a6e172d2f8891f4efb09a338d776dd195b408ae000000000e8000000002000020000000a9013b412d590c41449f18d7334ecde1751218f37552860d3a3775a5fb6098fa9000000046a12509d2d1663da47d28fa2a298588d80ed3460854d7b3d6b87906408358c59273d08e56968f69dbdbcb2752c5e9d5131fd8d54064053d657929b09edbf4948ae376719de8a7a22aeaec239d052f8693cfa381ca562befc46856fbbc3ba2fbb2d878afee653dc03372c9e7991a82951962233dfd157afb428deedbd729abe29fa8f23b80b6e8b6ae4f9968dfed4d6e40000000856405594ce9a90f92d4319bc789b22459871b2a7fb820b6009c4ba236c869cf170d28bae5007b0d8b39ebfdff371ae4dd751affd028c2f827aa58e859a79dc9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007599b79a6660742bf8ade3842ce07a9000000000200000000001066000000010000200000000a31d6ab63e53cdef378df3d4d7c659e5efae6f6b259d51c59849f11d315091a000000000e8000000002000020000000e749b8f9a4fe1c07dcba754011f218f2d4bfe59b8f3021fba5e788103a4c8d1a20000000efbcedc949c50f8711b05331d607efe0e4645eb17fd6db1f1b153b96cee5815b4000000038433d43be6856afdb73048895a888633d7e0fadf98972751cb8db45b71b80dce471c8208e207e972afa7e62bc60621553833a3585ae626d766e46bcb54c1236	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06e7ed32abbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1868 NOTEPAD.EXE

pid	process
1868	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xrnlxbsxkdim.exe

pid	process
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe
2724	xrnlxbsxkdim.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exexrnlxbsxkdim.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
Token: SeDebugPrivilege	2724	xrnlxbsxkdim.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeSecurityPrivilege	2708	WMIC.exe
Token: SeTakeOwnershipPrivilege	2708	WMIC.exe
Token: SeLoadDriverPrivilege	2708	WMIC.exe
Token: SeSystemProfilePrivilege	2708	WMIC.exe
Token: SeSystemtimePrivilege	2708	WMIC.exe
Token: SeProfSingleProcessPrivilege	2708	WMIC.exe
Token: SeIncBasePriorityPrivilege	2708	WMIC.exe
Token: SeCreatePagefilePrivilege	2708	WMIC.exe
Token: SeBackupPrivilege	2708	WMIC.exe
Token: SeRestorePrivilege	2708	WMIC.exe
Token: SeShutdownPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2708	WMIC.exe
Token: SeRemoteShutdownPrivilege	2708	WMIC.exe
Token: SeUndockPrivilege	2708	WMIC.exe
Token: SeManageVolumePrivilege	2708	WMIC.exe
Token: 33	2708	WMIC.exe
Token: 34	2708	WMIC.exe
Token: 35	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeSecurityPrivilege	2708	WMIC.exe
Token: SeTakeOwnershipPrivilege	2708	WMIC.exe
Token: SeLoadDriverPrivilege	2708	WMIC.exe
Token: SeSystemProfilePrivilege	2708	WMIC.exe
Token: SeSystemtimePrivilege	2708	WMIC.exe
Token: SeProfSingleProcessPrivilege	2708	WMIC.exe
Token: SeIncBasePriorityPrivilege	2708	WMIC.exe
Token: SeCreatePagefilePrivilege	2708	WMIC.exe
Token: SeBackupPrivilege	2708	WMIC.exe
Token: SeRestorePrivilege	2708	WMIC.exe
Token: SeShutdownPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2708	WMIC.exe
Token: SeRemoteShutdownPrivilege	2708	WMIC.exe
Token: SeUndockPrivilege	2708	WMIC.exe
Token: SeManageVolumePrivilege	2708	WMIC.exe
Token: 33	2708	WMIC.exe
Token: 34	2708	WMIC.exe
Token: 35	2708	WMIC.exe
Token: SeBackupPrivilege	2972	vssvc.exe
Token: SeRestorePrivilege	2972	vssvc.exe
Token: SeAuditPrivilege	2972	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2452	WMIC.exe
Token: SeSecurityPrivilege	2452	WMIC.exe
Token: SeTakeOwnershipPrivilege	2452	WMIC.exe
Token: SeLoadDriverPrivilege	2452	WMIC.exe
Token: SeSystemProfilePrivilege	2452	WMIC.exe
Token: SeSystemtimePrivilege	2452	WMIC.exe
Token: SeProfSingleProcessPrivilege	2452	WMIC.exe
Token: SeIncBasePriorityPrivilege	2452	WMIC.exe
Token: SeCreatePagefilePrivilege	2452	WMIC.exe
Token: SeBackupPrivilege	2452	WMIC.exe
Token: SeRestorePrivilege	2452	WMIC.exe
Token: SeShutdownPrivilege	2452	WMIC.exe
Token: SeDebugPrivilege	2452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2452	WMIC.exe
Token: SeRemoteShutdownPrivilege	2452	WMIC.exe
Token: SeUndockPrivilege	2452	WMIC.exe
Token: SeManageVolumePrivilege	2452	WMIC.exe
Token: 33	2452	WMIC.exe
Token: 34	2452	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1880 iexplore.exe
2328 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1880 iexplore.exe
1880 iexplore.exe
288 IEXPLORE.EXE
288 IEXPLORE.EXE

pid	process
1880	iexplore.exe
2328	DllHost.exe

pid	process
1880	iexplore.exe
1880	iexplore.exe
288	IEXPLORE.EXE
288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VirusShare_6e1521accd328e43641c8c71ebbde64c.exexrnlxbsxkdim.exeiexplore.exe

description	pid	process	target process
PID 2804 wrote to memory of 2724	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	xrnlxbsxkdim.exe
PID 2804 wrote to memory of 2724	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	xrnlxbsxkdim.exe
PID 2804 wrote to memory of 2724	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	xrnlxbsxkdim.exe
PID 2804 wrote to memory of 2724	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	xrnlxbsxkdim.exe
PID 2804 wrote to memory of 2544	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 2804 wrote to memory of 2544	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 2804 wrote to memory of 2544	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 2804 wrote to memory of 2544	2804	VirusShare_6e1521accd328e43641c8c71ebbde64c.exe	cmd.exe
PID 2724 wrote to memory of 2708	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2708	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2708	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2708	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 1868	2724	xrnlxbsxkdim.exe	NOTEPAD.EXE
PID 2724 wrote to memory of 1868	2724	xrnlxbsxkdim.exe	NOTEPAD.EXE
PID 2724 wrote to memory of 1868	2724	xrnlxbsxkdim.exe	NOTEPAD.EXE
PID 2724 wrote to memory of 1868	2724	xrnlxbsxkdim.exe	NOTEPAD.EXE
PID 2724 wrote to memory of 1880	2724	xrnlxbsxkdim.exe	iexplore.exe
PID 2724 wrote to memory of 1880	2724	xrnlxbsxkdim.exe	iexplore.exe
PID 2724 wrote to memory of 1880	2724	xrnlxbsxkdim.exe	iexplore.exe
PID 2724 wrote to memory of 1880	2724	xrnlxbsxkdim.exe	iexplore.exe
PID 1880 wrote to memory of 288	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 288	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 288	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 288	1880	iexplore.exe	IEXPLORE.EXE
PID 2724 wrote to memory of 2452	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2452	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2452	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 2452	2724	xrnlxbsxkdim.exe	WMIC.exe
PID 2724 wrote to memory of 1728	2724	xrnlxbsxkdim.exe	cmd.exe
PID 2724 wrote to memory of 1728	2724	xrnlxbsxkdim.exe	cmd.exe
PID 2724 wrote to memory of 1728	2724	xrnlxbsxkdim.exe	cmd.exe
PID 2724 wrote to memory of 1728	2724	xrnlxbsxkdim.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

xrnlxbsxkdim.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xrnlxbsxkdim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xrnlxbsxkdim.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_6e1521accd328e43641c8c71ebbde64c.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_6e1521accd328e43641c8c71ebbde64c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\xrnlxbsxkdim.exe
  C:\Windows\xrnlxbsxkdim.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2724
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:288
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XRNLXB~1.EXE
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  - Deletes itself
  PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+udpch.html

Filesize
11KB

MD5
5215d2a20537f2db2faaddd80a74aeea

SHA1
470b550187ebc45b809706401dc7711e380969b1

SHA256
5f8a8a2355d100415f786c678af5a4a03164f22100b5c5b8d1d20caba42390b9

SHA512
43d6320ef1d8420241ccb1da5f48bdbd824d066f7b021d897fa1f2dc12290f7901464383b68d7fdd894b57445b30c51e4c6a22ee3a91c419ce933bb8b38510bb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+udpch.png

Filesize
62KB

MD5
6d883741c890c88278a540e9de4fac0d

SHA1
078ebd66526fff3b130d6e22c71eee5879ccd7ff

SHA256
24d38f2031eb85a162aed70845a80ed08de6804d0035dafb217c7e011fd80fd6

SHA512
6d736ecd8f2fe89b4307415a7043c1556e450240d01fe78599d083f9aedb2dd3d8a7dcacb1afb0bfdfdf918f20679f7baaf78a2a73914696d83e734733afc16d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+udpch.txt

Filesize
1KB

MD5
dcbae57aeb70afeddc247a4f8d4191e1

SHA1
d7edf9f4fcd27f58961c034e77c7dee722872a1b

SHA256
9145b9c1e39ce8ae3fe4d65cdb2be1a50f2e100650900bf810019f573fafbbf8

SHA512
e5945adcac851c19025f912f3712c38bc948606513aae2635d878eeb272bd3ca6ed8aae375bea515549f272756173871f8dee409285b792bbabefc7b0dda6ca2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
6d5ba495f87338023b0e99b1f8440fb8

SHA1
1de1b2e93058ef251b49a1e9f269d4e24e35bff3

SHA256
59b4d1e8fefb5fff0c650dfaa76b939ca09433291f627508745ae1827898a0b8

SHA512
f971d35063e9441fdf4c525faf276f25cbeadf2f41dc5343747fb587f56e69e627c41cd9a0caac5dd4b56c4c45d2d378e1bc60702bea987fcd306b9d8d88254e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
2946422e1ccff23006836546e213463e

SHA1
969f64f07b2f2199a6bfbe31a24f22d8783964eb

SHA256
0b928cd609294a7aa31d23538da9e0458d56cd976147a6f20b123fdef9d70e0a

SHA512
5e176a85ba6eeabfa84b1e771b9788e15188d84676025fab4bbc8e12f130623b3fc39b42d797e232ba85b1746ded743282b7093b07c71acf2453092baa14d4df

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
a6e3ac1528e2313feea4067ce7036ce4

SHA1
6e58261f6c706f85d4b01be1e0be7b04c3d7fbfb

SHA256
ff6e9c5140c1185710affc1c0ead0af9938cea89989672a8b59b785e4f1f3948

SHA512
4188d34ae6f85da214d4448b94684bcb6e1d0126c7f14f10a10e7e86ba813afa81a0440b702c8a2927eea59792c67c81e6c8b62588c4bc7bd40695686021159c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be3a76097f1c71e1f2eed992bd107d1a

SHA1
ef3ec8a75d060e58e75f502d44968226f5bc7b37

SHA256
bbdfa2ec8e960d0138bf693d16c03e8a2eaf6583b9b1a79ef48a6e5c6b0df947

SHA512
37ab7563449d96dee04f9ded2a0a5f9dc1a58cb095ecd361bdc226779730bb27f64261241988aefe17cbae28d64bff7ce8ca016cfac9aa9b6007fce33963c3ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c20841a225848b052d504c0fb41c0bb8

SHA1
53c0079fe472c73be33e6f718499e4a6a4c9e3d5

SHA256
d83af671db2a4e0650f576eae3ef942e5b6a1537533e2033ad5f41672f12f666

SHA512
76b166dcb429be5d88227df04fb19e08870a6dee8d1df7b6d02c2cc037cddca445c8d308a622f4f977701a6e68aa428ff9e843158cd020491efa081e06fd09d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1f1a7f504ccf1a9bd40b00220acb83

SHA1
c5bf78b5ebcf2e0380cc3d11a7b7e7b3ad976233

SHA256
c53d81749664cc2c57775724e61904ccf2714be38aaa642edffbda5c282983f5

SHA512
c73a383643a8abbfaf44409f61876a6a587d5a2af27ea358aaae405b360f137c997f2ed9eb976dc6c0a63d778739164e48bbf99db5e4c8ffcc39e53f71cdc245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58152626177548b88c261324364c6368

SHA1
6f8a01c3ec8f0a444062d1ac5750f79ceffe1ca8

SHA256
9974d05ddce0128df60395f99dc2f74ba387e38a1485a92d23fdd13dee72c354

SHA512
f8a776a0be8008d6731d5ab5727579c2272fcf25661a9551eb32cd63b49a8e720d076bbde639548dc9f1681b673cfff290a1cee2980c273e1458e4c5e24cfc38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7019b3ce38cd0281d11c5dcc0f46cb05

SHA1
bfad2a039cf9afaf7c8bba088f49e6b68f2b80ce

SHA256
6de374d7465101d31d0e7fd851efd36446b2681453965586a786e679dbb7ea5f

SHA512
a07effdef2d8137cac36a2835bf53d9c79610906d819902ffd53995c15b823f4f0fbae0e90eda5d4e63509b26a98a44325a1cca3b16a6dd480aca86cb7f39ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72d1aa3bf4f14e32717243ba14b1855f

SHA1
c3121402517dcfe3f3c6990aa6dc439a8e292757

SHA256
2f1c06fbb059e9f2a271bbf078fbcd4e5869f7367a8a0ec2c4619947193a56c6

SHA512
35947ca5749d49632de8ac5e8016f6e2e5465b59ac0a4ecabb3a2a8f850593e3ec978e2e1f3984354bbedf019c1d842631d0062aebe9af4ac0483cfc7133dc78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da93df013be524bf56361acdc6d4d93c

SHA1
608afc37679a0e6958844cb4c7976917c825271a

SHA256
ed605c22a0e1fb4a91162f4d31c4591adf32acec3bfbecf54538e5b9caa9e97e

SHA512
9bab9d036eb22c6458f9dc96de59c03cdfef40e4fffa2d709b3ec57af06bcdb1a64bd0dd8b07941de336b07762a44a31fb873c387295b45e85ed434f6d3473c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ad509a3aa82db01483bcebb7db617e5

SHA1
33b2aeef5531c5ff7dcaa4876f23e8976e21d465

SHA256
716dd1d09899c95f8290ab17f086a45626e7cade346085b8dbcc6be1c80a6bd5

SHA512
0f0c6cfb16722a7b8a738b5090ea3cec7d533580c3f65c0ee94d080287f79dfb9fa54111265b63ea3f273e1529baa218f3e2eea540a7c7bcd5a2f1b175322e95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f78804414ba78eba03847c4a9ab111a4

SHA1
94ba2e94ffe1374b36eebf1301eaecb97822f7cf

SHA256
f897b9002b4a363b5cf33244ae4afc9d433e978f95f95c4fda19416161f4fc6e

SHA512
2f614715814998873156cad8c0bc9454084fd9873a73f24743fe7292fd5fa345071f8d74d475db55accc73a5ea2bbaac2dd1de824c6e8f92a37849a8831e0d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
031136332bf9f26bbf17c211f9ddcea4

SHA1
765930f5540e83fd8915109c2682a97d1ffb01c8

SHA256
515e0f73d2a004fe26abf866a2350b1705e848bd45280698a8f5e5b2b14889cc

SHA512
27aeada134b52dabbe9c4391268513c2f5c015de998f779603a02a7817ea5d891beac4603b0cec2df253c1e9b3a1741b22acaf56b415e316e5750785b4d1b628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4378f419ee55ea51004aecf829f79f7c

SHA1
764488db52c29c3138a1ebac6b3874492d1b26b7

SHA256
544fc4c94ef02887bb00ca718d6c6747f54111be11c580915d7246ea82ba2ea3

SHA512
0deac6f17f3948f4653348ff9870c84a5f6acf93320a0c14cbf839544920b7197254f3a0be59fc49f649c10e6609cf8b778132d0572f3210a5a0e901195a7ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8db57b3b69ef37a4d96db7f1f50d7eb

SHA1
bd22fc19d4df1e6a2f10af6561d372627ba1556d

SHA256
c41bfa75326bcbaaa4262333b70da4cc81f5c0466e6608b0b98002807a2c1786

SHA512
94b7298f12d5e7e249d904c2089dc80139fe44b452412923acb3523dbee3aa05973a791ac63a67e87ae2c1afaebee4ae37ce047389dd56ef8c36d06b9aaef1a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eadcaf8e0a3ecc72f94c0f9f1bef39ba

SHA1
d051855a45f05f50805603b2f73104001c122cf9

SHA256
18c47de8e685a378173fd6f14bd7dbd6465a25a682814435f8a293751ef34557

SHA512
7ff9dbae9744555dbc51affa9221e2eeae423e6afb6171a4e46fb5a96c8ea08a9073c31b58200c68836e31c8a3b5b1a0b28a6b814850a54381755e4476788315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d506404efd8aa8770bd94699f6bcd56

SHA1
144e75e1e9df55e4aaabc657ac86d84ac757525c

SHA256
44c33a16e55102f7889d6f74e0466cf7def07ae82a26891e85226f100139f3a8

SHA512
f4bf5a2a65a0d4cb7a7a7c5a8511c0aee9a2a34ad0dc9be8ab44623106b96878d59860f9ca854a54cd15f6742a9be68bcfc8a99d93006392e42e798bb1e55cee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae002909e6206f19338f0d8232a589fc

SHA1
aac9951e9cb46fd66fd37400206ec2b8b91ce58a

SHA256
5c175a44222cafbf67ff8ea1461c8dedef5d144a504d9c068226e9702de2f97e

SHA512
94b89ff96980b304aea3847c329648f7c8a04ede68801bf6f04ce18cc77bd76348c480d82af04dad7b8f4c32c0749a97204af45144a04c8c01ff0bf34f267d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b970e37dd67b916ec42077dfadf2d899

SHA1
2e765a782f003026166ede665e57d408df4568e9

SHA256
37ffb299ae7a0c967570530e8239d19e2991addfa3df6dfb70443f546349393b

SHA512
f4fe0c22a022e1ae885a1d4f3acd8ebfcc1b26c60a9292385e59cb240f124d02f2db425328976be47f7f593a4b03ce30a4084b1059f0a0d9893d8a63de8d483d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b69c607f0ed76c67c68396b574a425f3

SHA1
f88d7af0522c4a07846ae9e04181f7537640911a

SHA256
a737c43ff60be5d45552376762ded83084d0aed2678c8013614eff0dc111b550

SHA512
16e0dc1e1d3dcd0f11b664f2b1a8ba4fe249cafebe1e946ff6381af8a01999e0545f0c3b4182ba984a97d8a82f59a39a5a6e5c74f41639535d25265cdc0b5ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be3e39a0ff57b8fde209267fe8a79a98

SHA1
c074b889afa37d706dc17cdd3f3a782faa11e8b8

SHA256
ee6009ef157ad2a762397852cd3d0729880daf9940c017dc4497cd29d1f47230

SHA512
097cc5cde61850a7a4a2a37f2385c7b760e8d57ebabff7908ab4c298bea28b3b905571de66a9d5683166a09856b20c5bdeb2ed4a7e5e1490462cd3459c6f78cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e563a92a4b5cb8cef8739abd4aee0674

SHA1
7c3730ea9a59defca2b52366a68b18be3bcfbec9

SHA256
9206c4e5a9890f7a2873e09c2bd1aa1fc95d9ffa0f087294e2445d0549a3514a

SHA512
a463e631848ae7dc78f2c6d3c165019cfce28827ac02f7835cebcd2a58154c1a2600f6d6a123f0ec598e315aee0bc2ef1bc16bc5d8c50f6fc4b73f4dd76ae5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA70C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA807.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA80C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\xrnlxbsxkdim.exe

Filesize
360KB

MD5
6e1521accd328e43641c8c71ebbde64c

SHA1
7a82cfbb067c0b189dc1fa10e916fe763a5e8356

SHA256
65de2df558ebb2488ba1e50bc6fa2ccd2a168fa322b86387e9849b24772fef61

SHA512
827cc80559b04443904fdee9aea46ef7bc22dc28f89369b83a9508a9b54de7d30b627c71740f6a8ac9f89f49d9a614dc3fa84bad57d9fbb934b4e00ced60e4e2

Download Submit
memory/2328-6001-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/2724-6489-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2724-13-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2724-15-0x0000000000270000-0x00000000002F5000-memory.dmp

Filesize
532KB

Download
memory/2724-1947-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2724-4387-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2724-6000-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/2724-6003-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2804-11-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2804-3-0x00000000002A0000-0x0000000000325000-memory.dmp

Filesize
532KB

Download
memory/2804-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download