teslacrypt | 4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
Size

388KB
MD5

97ee4e31ab54dd1286221f66882afc62
SHA1

ed782ac0c113e6ee1573539927f3374b8c3e859f
SHA256

4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486
SHA512

1e62643409d12493e3e53da846b746496ae55ccd207ae3aebc321744a62717ea8bbe74280ec5d7373a3478ba16bd5763711a002fc8778aaf1a6f068ffd80d1b0
SSDEEP

6144:9YMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:9nSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+gayhd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B295F9176B0B0D9 2. http://kkd47eh4hdjshb5t.angortra.at/B295F9176B0B0D9 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/B295F9176B0B0D9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/B295F9176B0B0D9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B295F9176B0B0D9 http://kkd47eh4hdjshb5t.angortra.at/B295F9176B0B0D9 http://ytrest84y5i456hghadefdsd.pontogrot.com/B295F9176B0B0D9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/B295F9176B0B0D9

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/B295F9176B0B0D9

http://kkd47eh4hdjshb5t.angortra.at/B295F9176B0B0D9

http://ytrest84y5i456hghadefdsd.pontogrot.com/B295F9176B0B0D9

http://xlowfznrg4wf7dli.ONION/B295F9176B0B0D9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe

pid	process
2764	cmd.exe

Drops startup file 3 IoCs

Processes:

vonofdilecbn.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+gayhd.html	vonofdilecbn.exe

Executes dropped EXE 2 IoCs

Processes:

vonofdilecbn.exevonofdilecbn.exe

pid process

2716 vonofdilecbn.exe
2548 vonofdilecbn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2716	vonofdilecbn.exe
2548	vonofdilecbn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vonofdilecbn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tgcljxcmabti = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vonofdilecbn.exe\""	vonofdilecbn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_97ee4e31ab54dd1286221f66882afc62.exevonofdilecbn.exe

description	pid	process	target process
PID 1276 set thread context of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 2716 set thread context of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe

Drops file in Program Files directory 64 IoCs

Processes:

vonofdilecbn.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	vonofdilecbn.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	vonofdilecbn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\Recovery+gayhd.txt	vonofdilecbn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	vonofdilecbn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\Recovery+gayhd.html	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Recovery+gayhd.png	vonofdilecbn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Recovery+gayhd.png	vonofdilecbn.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_97ee4e31ab54dd1286221f66882afc62.exe

description	ioc	process
File created	C:\Windows\vonofdilecbn.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
File opened for modification	C:\Windows\vonofdilecbn.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f70781651ed5e4f93440783768eeabe0000000002000000000010660000000100002000000000a888920dd26cb5483a21c8f12b5f76ee53ae0ac495b1fcbf3184447f5437ed000000000e8000000002000020000000a70785d7c56ded783d63a67d2d62164aee59327ad9f1c68ff1f8efecc5f83a62200000003ce373828e23ac00176de1ccfb5a8e94c7dbfc49de6368b4f4d6001ef12eb03b40000000d2a57641781d3906947a1fa93a5c4fc29450096b4bb55de1d0f312f2a40bd6a60275dd475d1bd4db41d54c1dc4d5c3ca89fad4784c9ac7f36cc540eb81e73e4b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A7927C1-271F-11EF-AF73-469E18234AA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bcf75e2cbbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f70781651ed5e4f93440783768eeabe00000000020000000000106600000001000020000000de82eb891b916d0566c7f4c51a42091c06e5521b3ec73cb06e8c41c2faab72a3000000000e8000000002000020000000410d177fc0abd722284a9963734dbb43d9834fa6c62e3ad1a03bd6d41d0c302d90000000eae773dd6eba20d4aece058941231f9e0ea992ff941e3ebe9ba02bd77d8d8ae739fb705e748614732d8c0a4eb0d2016208d21370893fde087439bf986ebaa3adcb3facd44ad3374b0c84a5c88bfc556cd802e49a7806859b00cba9ee117e5bfbf6cc93432641b0bf18f3a61572c0e602c59f221d383e0e1943223192863a1bf83400232aa3efce7f5d9f91d3631a69f1400000005b014a12ac61bff98edae00d1de6e80fc32ed3c8a6a45e767e8cf643a1a62e727c6f8285c0d51d22887cd1b556bb58f58c63b300953ac587e49a4950dee426bf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

vonofdilecbn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	vonofdilecbn.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	vonofdilecbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	vonofdilecbn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vonofdilecbn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vonofdilecbn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vonofdilecbn.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2360 NOTEPAD.EXE

pid	process
2360	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vonofdilecbn.exe

pid	process
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe
2548	vonofdilecbn.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

VirusShare_97ee4e31ab54dd1286221f66882afc62.exevonofdilecbn.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
Token: SeDebugPrivilege	2548	vonofdilecbn.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1288 iexplore.exe
2136 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1288 iexplore.exe
1288 iexplore.exe
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE

pid	process
1288	iexplore.exe
2136	DllHost.exe

pid	process
1288	iexplore.exe
1288	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VirusShare_97ee4e31ab54dd1286221f66882afc62.exeVirusShare_97ee4e31ab54dd1286221f66882afc62.exevonofdilecbn.exevonofdilecbn.exeiexplore.exe

description	pid	process	target process
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 1276 wrote to memory of 2648	1276	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
PID 2648 wrote to memory of 2716	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	vonofdilecbn.exe
PID 2648 wrote to memory of 2716	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	vonofdilecbn.exe
PID 2648 wrote to memory of 2716	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	vonofdilecbn.exe
PID 2648 wrote to memory of 2716	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	vonofdilecbn.exe
PID 2648 wrote to memory of 2764	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	cmd.exe
PID 2648 wrote to memory of 2764	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	cmd.exe
PID 2648 wrote to memory of 2764	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	cmd.exe
PID 2648 wrote to memory of 2764	2648	VirusShare_97ee4e31ab54dd1286221f66882afc62.exe	cmd.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2716 wrote to memory of 2548	2716	vonofdilecbn.exe	vonofdilecbn.exe
PID 2548 wrote to memory of 1800	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 1800	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 1800	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 1800	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 2360	2548	vonofdilecbn.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 2360	2548	vonofdilecbn.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 2360	2548	vonofdilecbn.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 2360	2548	vonofdilecbn.exe	NOTEPAD.EXE
PID 2548 wrote to memory of 1288	2548	vonofdilecbn.exe	iexplore.exe
PID 2548 wrote to memory of 1288	2548	vonofdilecbn.exe	iexplore.exe
PID 2548 wrote to memory of 1288	2548	vonofdilecbn.exe	iexplore.exe
PID 2548 wrote to memory of 1288	2548	vonofdilecbn.exe	iexplore.exe
PID 1288 wrote to memory of 2852	1288	iexplore.exe	IEXPLORE.EXE
PID 1288 wrote to memory of 2852	1288	iexplore.exe	IEXPLORE.EXE
PID 1288 wrote to memory of 2852	1288	iexplore.exe	IEXPLORE.EXE
PID 1288 wrote to memory of 2852	1288	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2156	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 2156	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 2156	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 2156	2548	vonofdilecbn.exe	WMIC.exe
PID 2548 wrote to memory of 2516	2548	vonofdilecbn.exe	cmd.exe
PID 2548 wrote to memory of 2516	2548	vonofdilecbn.exe	cmd.exe
PID 2548 wrote to memory of 2516	2548	vonofdilecbn.exe	cmd.exe
PID 2548 wrote to memory of 2516	2548	vonofdilecbn.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

vonofdilecbn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vonofdilecbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vonofdilecbn.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_97ee4e31ab54dd1286221f66882afc62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\VirusShare_97ee4e31ab54dd1286221f66882afc62.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_97ee4e31ab54dd1286221f66882afc62.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\vonofdilecbn.exe
    C:\Windows\vonofdilecbn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\vonofdilecbn.exe
      C:\Windows\vonofdilecbn.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2548
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2360
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1288 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2852
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VONOFD~1.EXE
        5⤵
        
        PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - Deletes itself
    PID:2764

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+gayhd.html

Filesize
9KB

MD5
edd2d26bbac9de992c40544379824379

SHA1
5f61f131a1e23c7583bf88080608575b126db410

SHA256
c18f4ded22f54765c0d2bcfe1377628b1ade663436fb7e74507cf75756b08e86

SHA512
7a1e9e7d7b6b1a6dd0e08331c3b2a0b77f2be96b0eee0a31f2dc8346b7ae59668d24c87e2b561d79e0454eb5d5c176e8e2fd97d007d53da64e14c43bf858ea8c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+gayhd.png

Filesize
62KB

MD5
d63b9f9335956ded8e4eb70e7d39b37c

SHA1
88794c347ca33dd5ea5be632b88ad26e66b2d225

SHA256
39f9694d436b999390726589c29ce0100a640f017a11da99bbfa68e155762105

SHA512
7570a82e593169dd0574f01b94d98441ac42f18cad7af44fbff34c2f797feda9431ff16b7c40082a9f2ea68ded89068cb159e73ad9c435a4360d62fa080ffdd6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+gayhd.txt

Filesize
1KB

MD5
0b1aa10cf71d35fc3728128ccbbcf99d

SHA1
bca39de08f9e78aaf4dea3d4c2e61fb86475f0a0

SHA256
729167d1dafd796211c77ebeac11293a8c6a5dbc324abfc0cfb55861e1931101

SHA512
d97818228d08e5259013275d263993d30976c171a94fa20e5eaf656d4c9688643c38269c6c6464edb0ab05d66c36ba6156d89451fbce5ae8d83ce3bcd859eab1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
0f3ced2f3cf5b6c009c6beaeee4faca2

SHA1
c94cb734a68775f75f2f4a5bb70906a2fffb69f7

SHA256
9c74391c05f6a58c1be7c79d75fd21166e11a812dd14c4c3595805aa54c3c483

SHA512
e49130dd92e556fd015e2563a714f14ae6aa0dd7f4ac17d9d4b3f05af26dc10ea1025439ea6dacf6fbef6c5dd3c761a03dbdace99cecb677766758b548017e14

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ae2d1a40e5e54099fff2d100e0829fb0

SHA1
fccaf490572cba6dd15d5191d35fff6284d8d2e2

SHA256
0c57f0f475db001ad9510efbd90368bba0b8862cbb73967a6497255b5edd01b1

SHA512
a7e93fb0dc958d5013ce6cc543e57b1b46ac656019694be38399d73f5c1288b7be15656cc4094c7a021b2a6630927211f7a0981c834928e417fb1b72f059be0e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ba8df94b630e51fe5db6472667d62419

SHA1
2883654ff25670b8f0e57b8ad0a32aa7397b7fba

SHA256
0bc9e3411c2e7e0a0be9d102eb896193a9a01915752cc4f1ffff7b6cd5584365

SHA512
69f59f596eb7661156793ee68e00b902b1ce51d742536bd097d4d6f60396c09206149e19d2b4936d2790595bc2a06fe5db5c1f51b37dfa3ec7fd40d08f59948d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e6f5f77653e972c8fa0fea40e44007

SHA1
40b823f248c14419010eb6dbcb333ae6ced4b77c

SHA256
5aea526950f3010c181d667bf1357c2023b34fb6f93c88484afd29ab15298d3f

SHA512
a9505d2caba7b20bc031a5c696208294fcd56070d0c90d96bf05fa8550d872e5a82358c926d6c7f89197f7ba92c51d8354f0d73a8c1f863dfb7c0120b39b296e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fadb74e72aab5a510ccf2a98cf17e3b

SHA1
3e0579542389950b9ba3d78837fd6c6edd5a8a9f

SHA256
4b8c30bd1f76c6ddc34bad820df352f65831a8146065e12474938aea825c95aa

SHA512
f20f8eafaca45890e6978b0d245035a7ce945e09d8ebddceb077338ef9fec580bb286a130c3ad69a0f11dfdef7329f59f20085ee022cb1d9f00c34d357fd8732

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c784542ce10ccc1a93b9eed91320a03

SHA1
0d370ae643d2eef6719e4919939a0237f3f99aa4

SHA256
f5f4d99156f4b3174d73626cc8eebbb859b7ae411699666c60aa7c7256f0f7d4

SHA512
7472c8c9b4fd13bd7bfea3cab373de72d9f834286441c0b236e0959950038586d5fb1edc7f30e271c62272f9de14b39092a30742b1a43d1eaf8fa93d2632503e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3a2d3777328d5b45a1ae635f03bf0ae

SHA1
b1e350c7f4791c4d4a101f461b909d78a3dd6ce2

SHA256
20e2992de87c48471ec3a93b3ddec2026362e98088c6660205064d1adb4d9cf3

SHA512
bd40b1167bd1a9605ad35dbcfc2a40504d0eda1b5fd221299fa008b993b8b06dab0e8498282ae6a7b1fa55348308e239b8ea16840667f072c35fa2729c55f02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ed217e165ecd6b1dd313866b19141fa

SHA1
e28805c06f7d52083a60030ee3f803e785cb58c8

SHA256
b513443016b924f9d40c57f5d68560069f589c7debfddf43730524e66cba6737

SHA512
3b1687121e7ad219b758ef92ddeb5e1f27bc2c9076eeebe3c4c3a3b47a955a30ec20ba4cf60fc9169dff5aab22dc6d6ec18d24b5c2c65d9ac4be7df2f84eb970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61e591ad67b04d0727d125e5537d6a07

SHA1
30aca28d2492222dd7bee716cdcd6fe616c87b7a

SHA256
852d0f36c66b7f15c98130d466926c9ce38a73e970f8a57777b15209a1de4bd0

SHA512
fc668c3aaee03b847e81f0d4a537917a3331a5dd00cf06f04163ef393c9c2b4032fa30c55a055fc6e1dc0e51ab28ade312f1d6207c9b8b752b6574169451b1a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ab0f8f5b2431d3ae1398717ba1d2ed4

SHA1
b7af064f5e97c0a2bc6dac8a909ab462d0b69cf1

SHA256
95090b35c77fb9a4ea0a7490ead347a52f65d97b4742233e0b03f03e506b7fe5

SHA512
3f2793537e93271ae4b634c0c8ec23e137a0952556b09b4ebec123d11c393199fc24991d0ac3cf17eda1bcab87607d393f404de25c97acfe8915fb7be0fe08f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52bcc8c1fd004af14746f97f4873f535

SHA1
49d245e81303bb70cc0394de44f167687268aaf5

SHA256
1dbb8d6fd4ed5302fd5cd689e6908feeeeb6ec82ec07460b8e8bb89c7c539cfb

SHA512
8864345e8165403d078a5faceb48cdcb3da63fd988a6a20db0a51c6de7b4710b36457a48559a4afd682c41321616b4c48407e8771cbf26f23bbe8cbd3c4c6657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e45a46bc72d3bfa8a6ef562687c9a9ba

SHA1
23a648a521fb99099299e3fbd83caabd219eeeee

SHA256
cebd825f8fb3d1ca74d610559f51086946d1272ef83b9c64cb26905c36f8035f

SHA512
32f3c296be181759ac9a8a6ac34d536117fc6d50416af17c8c6d7a17b64e758e4a9bbc1ca6f4639a5d02d0b0129c1174d3a7b0cb7b02c976ff89a336f39d9ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31453a15f29ac19391da9c997bb7eae

SHA1
84307ac45e4715313efdf233f7da77dfc734520e

SHA256
59a37b02cea9db785ad4c8ca2ea58d567e497cbcba662e48f8ec71688289f708

SHA512
ff700e25f0b8b575051271ef087ff02cf13d8e79236962b5dbb241ba6cfe9753bc109b4419dec7b0334d0a6fc296699326b605a006cf20ff7a0d56852a189de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
14d0e605730c530879880da1a24fda76

SHA1
aeeb374ca01e62063b24a096ec683c459b32eab4

SHA256
a048e0fa2de9f8dd59ab574b91993d7fb0c6da60cd755aa36c45fd9e62fae965

SHA512
e3a1ccd18fe8902a860a176e5cc35b632c2a5149190c60b188ff1e8502e9cce7ee4abe931bd5352381155cf9ecbfe1830b0b188fd1d41b1785ebed57b066c1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\vonofdilecbn.exe

Filesize
388KB

MD5
97ee4e31ab54dd1286221f66882afc62

SHA1
ed782ac0c113e6ee1573539927f3374b8c3e859f

SHA256
4944771164216ccf6811e327befaa3aea12e9247ff731497a94f3c03d5b1b486

SHA512
1e62643409d12493e3e53da846b746496ae55ccd207ae3aebc321744a62717ea8bbe74280ec5d7373a3478ba16bd5763711a002fc8778aaf1a6f068ffd80d1b0

Download Submit
memory/1276-18-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/1276-0-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/1276-1-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2136-6104-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2548-6107-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6130-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-2325-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-5049-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6097-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6103-0x0000000002C70000-0x0000000002C72000-memory.dmp

Filesize
8KB

Download
memory/2548-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6106-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-6133-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2548-1137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2716-31-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download