teslacrypt | d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

Analysis

max time kernel
123s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
Size

396KB
MD5

8c23e7c480280c24c6b34c9c9bafc05d
SHA1

de75bf5f2115fb3399d2c94966218f91dd9c2362
SHA256

d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740
SHA512

04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5
SSDEEP

6144:4T3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:4T3MA+bJmy4ZKfQRMh6

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kihme.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B5D1AA8260558471 2. http://kkd47eh4hdjshb5t.angortra.at/B5D1AA8260558471 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/B5D1AA8260558471 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/B5D1AA8260558471 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B5D1AA8260558471 http://kkd47eh4hdjshb5t.angortra.at/B5D1AA8260558471 http://ytrest84y5i456hghadefdsd.pontogrot.com/B5D1AA8260558471 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/B5D1AA8260558471

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B5D1AA8260558471

http://kkd47eh4hdjshb5t.angortra.at/B5D1AA8260558471

http://ytrest84y5i456hghadefdsd.pontogrot.com/B5D1AA8260558471

http://xlowfznrg4wf7dli.ONION/B5D1AA8260558471

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (429) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2352	cmd.exe

Drops startup file 3 IoCs

Processes:

hyuernnclsmh.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kihme.html	hyuernnclsmh.exe

Executes dropped EXE 2 IoCs

Processes:

hyuernnclsmh.exehyuernnclsmh.exe

pid	Process
2600	hyuernnclsmh.exe
1496	hyuernnclsmh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hyuernnclsmh.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yldesacoumta = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hyuernnclsmh.exe\""	hyuernnclsmh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exehyuernnclsmh.exe

description	pid	Process	procid_target
PID 1580 set thread context of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 2600 set thread context of 1496	2600	hyuernnclsmh.exe	34

Drops file in Program Files directory 64 IoCs

Processes:

hyuernnclsmh.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\System\ado\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Services\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\Recovery+kihme.png	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\Recovery+kihme.txt	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\Recovery+kihme.html	hyuernnclsmh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	hyuernnclsmh.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe

description	ioc	Process
File created	C:\Windows\hyuernnclsmh.exe	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
File opened for modification	C:\Windows\hyuernnclsmh.exe	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0904ef688eeed4f85bf4afa3f137f8c00000000020000000000106600000001000020000000be79798be487a020cb354451a1001d8253984efca3ff5512bfb5941191c08296000000000e8000000002000020000000cbc563d5944c77fc7248ea3d2c68479040367cf82e7c8c12c619b1bd577bc26d900000008b515429077f17993ae2369ee09bc22c581883a108433434ffbcdcd2ffbca393af41be02e1163f727d429aa38c6149e44cb0796d546e14959c841d795e358a5aa29ddda34b29a5a60fefab5e4cde4a2e1cc364987c040ab524a08fca8f58db21e03ac7b8fc4c4d2b1d0a32ec73d9d1e37e225e1b7e973628e8e6374ad521cf5867514ffcd8a3c9e2b945639ecc0066ee400000004ada2987abb8e950f14fbc59d15a8ad3629487f241bc0bf7d34f849d2150e7d1d9d63ea7e0e23b1cd6e79f1dfc38bce9fb264a0086318b185251b066b92e0d02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8254DDA1-271F-11EF-93E2-EEF45767FDFF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0904ef688eeed4f85bf4afa3f137f8c00000000020000000000106600000001000020000000bd4ad6219da06605607029f762239fbfb5e7919844eb26a4ffbb72c1fa4dcc0a000000000e800000000200002000000050c06a426177e50007521a88f34f98550d14dc55a5e33bb0e088cf7f3d2563dd20000000bc3d9631a12ffa1b67bada9ad06dd2a94f2555bc40c160304ccd713ae0b0bfa240000000eed34657b92c0890b38eaad7f24f40f27a4656dbc7712724ed759579ce76d1bbc213014b6b02635484ea88ba7711ce2e39e006ae515cf4cecfab431abb459ca0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b018d1562cbbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

hyuernnclsmh.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	hyuernnclsmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hyuernnclsmh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hyuernnclsmh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hyuernnclsmh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hyuernnclsmh.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	hyuernnclsmh.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hyuernnclsmh.exe

pid	Process
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe
1496	hyuernnclsmh.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exehyuernnclsmh.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
Token: SeDebugPrivilege	1496	hyuernnclsmh.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2840	WMIC.exe
Token: SeSecurityPrivilege	2840	WMIC.exe
Token: SeTakeOwnershipPrivilege	2840	WMIC.exe
Token: SeLoadDriverPrivilege	2840	WMIC.exe
Token: SeSystemProfilePrivilege	2840	WMIC.exe
Token: SeSystemtimePrivilege	2840	WMIC.exe
Token: SeProfSingleProcessPrivilege	2840	WMIC.exe
Token: SeIncBasePriorityPrivilege	2840	WMIC.exe
Token: SeCreatePagefilePrivilege	2840	WMIC.exe
Token: SeBackupPrivilege	2840	WMIC.exe
Token: SeRestorePrivilege	2840	WMIC.exe
Token: SeShutdownPrivilege	2840	WMIC.exe
Token: SeDebugPrivilege	2840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2840	WMIC.exe
Token: SeRemoteShutdownPrivilege	2840	WMIC.exe
Token: SeUndockPrivilege	2840	WMIC.exe
Token: SeManageVolumePrivilege	2840	WMIC.exe
Token: 33	2840	WMIC.exe
Token: 34	2840	WMIC.exe
Token: 35	2840	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
1652	iexplore.exe
380	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1652	iexplore.exe
1652	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exeVirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exehyuernnclsmh.exehyuernnclsmh.exeiexplore.exe

description	pid	Process	procid_target
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 1580 wrote to memory of 2492	1580	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	28
PID 2492 wrote to memory of 2600	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	29
PID 2492 wrote to memory of 2600	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	29
PID 2492 wrote to memory of 2600	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	29
PID 2492 wrote to memory of 2600	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	29
PID 2492 wrote to memory of 2352	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	30
PID 2492 wrote to memory of 2352	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	30
PID 2492 wrote to memory of 2352	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	30
PID 2492 wrote to memory of 2352	2492	VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe	30
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 2600 wrote to memory of 1496	2600	hyuernnclsmh.exe	34
PID 1496 wrote to memory of 1536	1496	hyuernnclsmh.exe	35
PID 1496 wrote to memory of 1536	1496	hyuernnclsmh.exe	35
PID 1496 wrote to memory of 1536	1496	hyuernnclsmh.exe	35
PID 1496 wrote to memory of 1536	1496	hyuernnclsmh.exe	35
PID 1496 wrote to memory of 1900	1496	hyuernnclsmh.exe	41
PID 1496 wrote to memory of 1900	1496	hyuernnclsmh.exe	41
PID 1496 wrote to memory of 1900	1496	hyuernnclsmh.exe	41
PID 1496 wrote to memory of 1900	1496	hyuernnclsmh.exe	41
PID 1496 wrote to memory of 1652	1496	hyuernnclsmh.exe	42
PID 1496 wrote to memory of 1652	1496	hyuernnclsmh.exe	42
PID 1496 wrote to memory of 1652	1496	hyuernnclsmh.exe	42
PID 1496 wrote to memory of 1652	1496	hyuernnclsmh.exe	42
PID 1652 wrote to memory of 2220	1652	iexplore.exe	44
PID 1652 wrote to memory of 2220	1652	iexplore.exe	44
PID 1652 wrote to memory of 2220	1652	iexplore.exe	44
PID 1652 wrote to memory of 2220	1652	iexplore.exe	44
PID 1496 wrote to memory of 2840	1496	hyuernnclsmh.exe	45
PID 1496 wrote to memory of 2840	1496	hyuernnclsmh.exe	45
PID 1496 wrote to memory of 2840	1496	hyuernnclsmh.exe	45
PID 1496 wrote to memory of 2840	1496	hyuernnclsmh.exe	45
PID 1496 wrote to memory of 2912	1496	hyuernnclsmh.exe	48
PID 1496 wrote to memory of 2912	1496	hyuernnclsmh.exe	48
PID 1496 wrote to memory of 2912	1496	hyuernnclsmh.exe	48
PID 1496 wrote to memory of 2912	1496	hyuernnclsmh.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

hyuernnclsmh.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hyuernnclsmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hyuernnclsmh.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\hyuernnclsmh.exe
    C:\Windows\hyuernnclsmh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\hyuernnclsmh.exe
      C:\Windows\hyuernnclsmh.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1496
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1900
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2220
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HYUERN~1.EXE
        5⤵
        
        PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2352

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kihme.html

Filesize
9KB

MD5
e6f808d818cc3927b5ff279afc7a640c

SHA1
fe62cea942c2846203ba4222e67e2b61a96e6f9a

SHA256
739aa2789b36a1edb0e19e1674e85e9e7a8937c2b0c0941ca37a0f9630cd5b2f

SHA512
c5299e38476aa75623110d1790688914ea1cc26b601e0dd8fe8ac5811177a3f0a9a0b3b6658109978ab2e57435f21a0e77e65660ddbfadf9227f1a8c09e60d98

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kihme.png

Filesize
63KB

MD5
e0d26677e7273696ab7df6171b8869c5

SHA1
7d577dfcc4b184db16d0876d37d838b079d82641

SHA256
ff83a227977e466c191150d9f499e11764bc308793d913fdab3b75ea7166a497

SHA512
d162ab5e20534597925e58a0602e6c02094e028fa0a360a5897c81da0cc8c9065f9b5cbfeac6a594ca941432b7cf3f225dbebcec6b4faf92deb00eb6878c9615

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kihme.txt

Filesize
1KB

MD5
5cf6c35a2c3a017f84c99bb5c0cc4b84

SHA1
067e8c269f2e9432ad720b102c624c22de3730ce

SHA256
4f710c1053e537885600cd50cf2a11343785ade289f25ea1589719c871b04fe6

SHA512
fc30bea06e1c5b8610d3727ef1d9c1deaa4a3330d7a40f48cea0d3fa8412fa2e434aec5f8953417153d59d8b740fd4e22b39593a71d4cc95889fbc7a25613aa8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
963bdb41646d4a29c162c1ce09325dcd

SHA1
224751bd89f41da476bfd8a2afcb9e38a7cb6789

SHA256
8f73bfc9216ccd2b41c4a3144ce117a65e95a25c463b6a065ae5c7127b1c2f39

SHA512
3ddc869a988c722ae24b994edea15d39050791968d4fff5b96f390bda2ea76eece40fd7f4da38206733e52fa75218dbc20042dff0d69ffa4b7bad2f696246280

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3643e6dad41663769f1c80a4ec4cd93d

SHA1
fb49e2eeb3e56b5c24f0f4057aad4db4a7a1fe23

SHA256
4ef0993f1abc6739012c5a9eb1e9f2b93fc09c7e430779c8e06c38e29aeb3fdf

SHA512
c1b252e999bb20686648c36e208da3f8d1ed79ca52dce6874c6472e1a4c2f718a2e811aa806c359512479a5db79dee2591a7bcc399da03f49514625c1fe64ff6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ae9152eed841debdd30226aaff62b5d2

SHA1
52d0b4aeae548c5a5f607fdb0b1c80c0bd4d55a8

SHA256
a51f04208e643da8e346819070dcfc758f63d0541429cfb699aa1045098ccd9b

SHA512
9ef9a661add992ec2a931714ae9cab4ba2aac110a8eeed2ee964bcacf9b15c0c1d8c7a4634b53df9c51a637316e1694c6526495aefcab30a6344deb403ee21de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
027e7bc49f9f7bb57f77ccd7eeaf1004

SHA1
055b0c72ea17bc918863f8efbe2f2472663da758

SHA256
8b4dba42b20de0f49b6e7e51dfd596afd26066793d742e3d1d547a49a0acf387

SHA512
9b5619bda7c66c34e855c223e7fa3e307800c68420ac67d201a3f1b7d0bc832b6f6060d648731df2692af6c4d4388565807ae4ecfd9e3f927692bdf12c4e75d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b357f4c3c89f9088c67d959858900c93

SHA1
d10e4142d9a6421aa9a0cb67326f1d2d25545c12

SHA256
d7c8152b723fcaeb84550c2732cf72f20bb9a2c27942fcdd55ae8129830bc821

SHA512
d97fb9f8451ae454f411027efbcbceb72497e672ee42d37973937b5324658c85161aac38faed11dfe013d049ff59bd8e843994691ed1c7fd9d8a2e41e07d1469

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e33c75521eee23222c854d4424c6ee

SHA1
cf59eb9136696ebf893a307c7be6d405968ec202

SHA256
78d1266f63f8ddc1a118e6c916f01a18afdabcfb72fe0f073f953e62909ab594

SHA512
296f0218080c8c21265f9a7c57c04724efb086bdcebcc1af527ae4226ad174432170349dea9f03d3deeff248df0c025543f55fad15de8f167f38205fbb03dc87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44df39630a9c06472a02a21349a9a18

SHA1
21dac6687d7f9c4930f68a89ab4d3f89a19b385b

SHA256
7f477e1226c6cea5e978548cf7d83cc39f9ffb7f29cda7bf5dbcde1ee9db4839

SHA512
b36206fdae94cca802f91aa384cc80bfb6ee1b8fa6f52edd5eb83bfbd173018053fd56c9b35141d13b2b6e3d3f456d4682a32218b6afcc5f7a1c26fc59a2a25c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
007a163f998cf6231f603cc41c0e098d

SHA1
7ea9c99217446d36a1a89d78e66943bfa7252e0f

SHA256
03685fe8c0cb8dc5ee96eed77c7aca66cfd3e2ef0e0ea0bfb0dcbed1aefece4d

SHA512
d7fc6906f9359fa421a6944486310e59291b9983654c84a993db7e288a01fb7db560fc9c49c0503aadafa725e8ff364ec3ce84a0be1f06df5ac6ba98bb922300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8075135be5c2555c6c0ef77c293313

SHA1
6c3fcb3a07f22adf194794a2c4ce807cc23a3955

SHA256
28923d6c4ea8697da2202cc51325e787670c445bbb3a2b60bb4c9543075cdfdf

SHA512
7ece34c480d9ed8f476339e1331fb6264b39f780ce6fcffc231bb0b3d457fcc63eae71e2a95f7aa03dcc6ab991188071f951d8cbdd1e55230e5bed96344acaee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e9f5a662b545362babdb162826cc713

SHA1
58ccf8034e737e7bd27e34816cb8306e95d18385

SHA256
1b324a955dbb3f6fb294a4e8e3d0f483682901554740c2f9b90c5d509dbce027

SHA512
6463c4532ac7fdfc030c0d467b8f4c9edaa1e774f4cf5465724f307eccd5ca16fc3722e309149a49f55f6610333fe723ead8462135d80b471b1aa13add1cb78e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17751167417fabf4b8cdf69d947ffe7c

SHA1
d87d6a4c8ca26c9538856aca137899ed98c5b211

SHA256
b27775a9e0180e323aee873c91c1e5eeb9da5a7841dc8867e0ccc13eac13f2be

SHA512
95282feb7845538e6b80dc127f6b0f7558b826dd0717e126578f92d2020ce42b9911e2d3389d38d38d0c92feb553e6e358eecc87dba0c7848ca67505270dcf94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92dfe39535ba80dc241ec057ded30e35

SHA1
3931a51445876c447e8c35d687379540e2a21a0b

SHA256
3926057d3917c6abe6b63918f858436768214ea961c0f4f439f1429f266e4182

SHA512
03540f91cdea439d52189ea38bfee0f62e3bf36e81af5baa627f86fb463e9de18e3efdf60bd6fd0bb3662488c798ddb675bd8babccea2447c7ebc6634e7ff1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad00f8d78d9a9678a170441b0d9b8c5c

SHA1
003a7fe8f5e5bdb5193d0a214b8e4614d004830c

SHA256
768a4f0730484f2939381dcf47855c1bb55358e8016c0e0ab59b539393f1ff42

SHA512
44f47de65b141dc099f50c9cc0d628b43dd59b908175d79e5a59896607edffb903e51f1f8724f5e253c638f277a895d332bd899b2b4483147fbc2ea205f5afdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ee38354261b84f1efe1e1f636cb2448

SHA1
b076080d73e0f1ffc2f6aca85db178aba4e89efd

SHA256
309ed1e313baac6cd421a5fdaf4b74af49595f1c061a1c46cb27be4ef2c11df9

SHA512
10e48e376d7606fb23f11220defafdd24b3e8b0b63d0d3a3707f113dea537e183c89ebe7c413e74f6acc74453f8ac4cb8939f41005e78fe23d8e6dbf25709c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4a32f0ff2845dfdd1f2ebb82083bd4e8

SHA1
bc1d6bcd014f02afea5f091d6d10a64f508dc1c4

SHA256
2cc4b1147f957ec607b75cacd4c8d5d8c0d539c5a5a9f6a2c736c95666cc9fb2

SHA512
357687332d1c51408507c7a391d380d18ec514fdefadcb02193f66837636c5df37102472ded16fb45a0d63f771288653c807fb455a49b9350f2b4d871700ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3856.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\hyuernnclsmh.exe

Filesize
396KB

MD5
8c23e7c480280c24c6b34c9c9bafc05d

SHA1
de75bf5f2115fb3399d2c94966218f91dd9c2362

SHA256
d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

SHA512
04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5

Download Submit
memory/380-6095-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1496-2037-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-4644-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-1040-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-6124-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-6088-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-6094-0x0000000003060000-0x0000000003062000-memory.dmp

Filesize
8KB

Download
memory/1496-6097-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1496-6099-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1580-0-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1580-1-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1580-18-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2492-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2492-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-28-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download