teslacrypt | 153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16

Analysis

max time kernel
100s
max time network
104s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/08/2024, 17:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62970d3ad9a12b875acc60a0a8310150N.exe
Size

496KB
MD5

62970d3ad9a12b875acc60a0a8310150
SHA1

fe4a5b2f1e43bb0a4776194765b81309b3b133cb
SHA256

153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16
SHA512

5e71f110d9dee34126566ff7949726adb3ac06ef996201919e67d1396a3ec324dac18c6bc2a4b947fec961b98ea9ef34e627e6205d9899f7f4f74c689fd8ba47
SSDEEP

12288:sEOgCOhJJJh9x+5Q5oDfXCIWhM9QXpzFq:sEv5JiQ5EfyXm

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+folsx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/48CF6C6F1A7CAF42 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/48CF6C6F1A7CAF42 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/48CF6C6F1A7CAF42 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/48CF6C6F1A7CAF42 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/48CF6C6F1A7CAF42 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/48CF6C6F1A7CAF42 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/48CF6C6F1A7CAF42 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/48CF6C6F1A7CAF42

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/48CF6C6F1A7CAF42

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/48CF6C6F1A7CAF42

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/48CF6C6F1A7CAF42

http://xlowfznrg4wf7dli.ONION/48CF6C6F1A7CAF42

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	sedjjapnyvhv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\brgyumu = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\sedjjapnyvhv.exe"	sedjjapnyvhv.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Reference Assemblies\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_ReCoVeRy_+folsx.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_ReCoVeRy_+folsx.txt	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_ReCoVeRy_+folsx.html	sedjjapnyvhv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	sedjjapnyvhv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sedjjapnyvhv.exe	62970d3ad9a12b875acc60a0a8310150N.exe
File created	C:\Windows\sedjjapnyvhv.exe	62970d3ad9a12b875acc60a0a8310150N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62970d3ad9a12b875acc60a0a8310150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sedjjapnyvhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429904718"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000653b360fa907db1f89fab84b22426267ae8aa19234d58b3ca2c404f475e57783000000000e800000000200002000000023b0e0977b47db0bd0b3c2b16042140f3afa1fd140aacfc5c605475f9ec95ce820000000acb1d39fee0eb630743e40429ee43cb7aa55b5c4e6c26b0ca864bc9f64ce99a240000000f67534694a98ad6d7769df2d27c1053babf08748a0835d776d4483e8dc370a6a37105d66a77653955042b6d8c0ac52cdf4b1158a0dcf4dcb92460a085eee4d93	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000005239eab194e13458539087ef0182611da3369cf919c67bbee0ef01f117668685000000000e8000000002000020000000244f8a620794fd3d5f35f341725cdd8b1b79433cadd61b86d83175979349a214900000001aed0f7b335fcd71f386cbe8a2831086e2c9ade4e5b79fe0c05a62cdbb0dc174c5e6f53f508fa19bcae6c6ca3ff7654c950b29b1fa5c68d5dc588ba575248dab4b62e0323fd00426f28c97ee6a181fb233bf12e043f96bdfaa6466d561e6b6417589af56c27ad5bf71e6e2552946d5e8f0ab890e95ca8a08d40fa5dcce39aae177618ac69b03d47858f5f4b5700878e2400000002ae7c29f113b0c367b4711e6013f64c9dd34144254aea5a04969392fb300eeace8734c9080c8de835b208983c6953a9a9420a88ed6f9d405219badb8dbe0e470	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A46A06A1-5B2B-11EF-8FC1-C2666C5B6023} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a3e87838efda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
984	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe
2436	sedjjapnyvhv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	62970d3ad9a12b875acc60a0a8310150N.exe
Token: SeDebugPrivilege	2436	sedjjapnyvhv.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemProfilePrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeProfSingleProcessPrivilege	2096	WMIC.exe
Token: SeIncBasePriorityPrivilege	2096	WMIC.exe
Token: SeCreatePagefilePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeDebugPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeRemoteShutdownPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 33	2096	WMIC.exe
Token: 34	2096	WMIC.exe
Token: 35	2096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemProfilePrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeProfSingleProcessPrivilege	2096	WMIC.exe
Token: SeIncBasePriorityPrivilege	2096	WMIC.exe
Token: SeCreatePagefilePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeDebugPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeRemoteShutdownPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 33	2096	WMIC.exe
Token: 34	2096	WMIC.exe
Token: 35	2096	WMIC.exe
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeSecurityPrivilege	2684	WMIC.exe
Token: SeTakeOwnershipPrivilege	2684	WMIC.exe
Token: SeLoadDriverPrivilege	2684	WMIC.exe
Token: SeSystemProfilePrivilege	2684	WMIC.exe
Token: SeSystemtimePrivilege	2684	WMIC.exe
Token: SeProfSingleProcessPrivilege	2684	WMIC.exe
Token: SeIncBasePriorityPrivilege	2684	WMIC.exe
Token: SeCreatePagefilePrivilege	2684	WMIC.exe
Token: SeBackupPrivilege	2684	WMIC.exe
Token: SeRestorePrivilege	2684	WMIC.exe
Token: SeShutdownPrivilege	2684	WMIC.exe
Token: SeDebugPrivilege	2684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2684	WMIC.exe
Token: SeRemoteShutdownPrivilege	2684	WMIC.exe
Token: SeUndockPrivilege	2684	WMIC.exe
Token: SeManageVolumePrivilege	2684	WMIC.exe
Token: 33	2684	WMIC.exe
Token: 34	2684	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	iexplore.exe
1808	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2292	iexplore.exe
2292	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2436	2864	62970d3ad9a12b875acc60a0a8310150N.exe	31
PID 2864 wrote to memory of 2436	2864	62970d3ad9a12b875acc60a0a8310150N.exe	31
PID 2864 wrote to memory of 2436	2864	62970d3ad9a12b875acc60a0a8310150N.exe	31
PID 2864 wrote to memory of 2436	2864	62970d3ad9a12b875acc60a0a8310150N.exe	31
PID 2864 wrote to memory of 2668	2864	62970d3ad9a12b875acc60a0a8310150N.exe	32
PID 2864 wrote to memory of 2668	2864	62970d3ad9a12b875acc60a0a8310150N.exe	32
PID 2864 wrote to memory of 2668	2864	62970d3ad9a12b875acc60a0a8310150N.exe	32
PID 2864 wrote to memory of 2668	2864	62970d3ad9a12b875acc60a0a8310150N.exe	32
PID 2436 wrote to memory of 2096	2436	sedjjapnyvhv.exe	34
PID 2436 wrote to memory of 2096	2436	sedjjapnyvhv.exe	34
PID 2436 wrote to memory of 2096	2436	sedjjapnyvhv.exe	34
PID 2436 wrote to memory of 2096	2436	sedjjapnyvhv.exe	34
PID 2436 wrote to memory of 984	2436	sedjjapnyvhv.exe	42
PID 2436 wrote to memory of 984	2436	sedjjapnyvhv.exe	42
PID 2436 wrote to memory of 984	2436	sedjjapnyvhv.exe	42
PID 2436 wrote to memory of 984	2436	sedjjapnyvhv.exe	42
PID 2436 wrote to memory of 2292	2436	sedjjapnyvhv.exe	43
PID 2436 wrote to memory of 2292	2436	sedjjapnyvhv.exe	43
PID 2436 wrote to memory of 2292	2436	sedjjapnyvhv.exe	43
PID 2436 wrote to memory of 2292	2436	sedjjapnyvhv.exe	43
PID 2292 wrote to memory of 2704	2292	iexplore.exe	45
PID 2292 wrote to memory of 2704	2292	iexplore.exe	45
PID 2292 wrote to memory of 2704	2292	iexplore.exe	45
PID 2292 wrote to memory of 2704	2292	iexplore.exe	45
PID 2436 wrote to memory of 2684	2436	sedjjapnyvhv.exe	46
PID 2436 wrote to memory of 2684	2436	sedjjapnyvhv.exe	46
PID 2436 wrote to memory of 2684	2436	sedjjapnyvhv.exe	46
PID 2436 wrote to memory of 2684	2436	sedjjapnyvhv.exe	46
PID 2436 wrote to memory of 1856	2436	sedjjapnyvhv.exe	48
PID 2436 wrote to memory of 1856	2436	sedjjapnyvhv.exe	48
PID 2436 wrote to memory of 1856	2436	sedjjapnyvhv.exe	48
PID 2436 wrote to memory of 1856	2436	sedjjapnyvhv.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sedjjapnyvhv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	sedjjapnyvhv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\62970d3ad9a12b875acc60a0a8310150N.exe
"C:\Users\Admin\AppData\Local\Temp\62970d3ad9a12b875acc60a0a8310150N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\sedjjapnyvhv.exe
  C:\Windows\sedjjapnyvhv.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2436
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:984
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2704
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SEDJJA~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\62970D~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+folsx.html

Filesize
11KB

MD5
6556e7fa863bedd1ec70f6775cef04b9

SHA1
526b78365143d81f4787c458cc407f39451e81d8

SHA256
ff90cc59175bf51863e7ef4ae83024039248eb763e1db21a166924bfea15e537

SHA512
fcb51396cfbfcd7ba6a7ec3e55ff5ae7cf3e396e2168fc064ae299cda7bfee329870bbc2c1b001c10238a3b4de5fde984fa960d069b4f6539dea745a66080f07

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+folsx.png

Filesize
64KB

MD5
8cd0737d504bd1542aa6ac4ad16d5d4a

SHA1
df81ba5ba6f45f518690817ca04d4335a936abf6

SHA256
54c908157e4324c92f7d36fd1f0d34b26ca6651530781bee68c29a1a0a588f2a

SHA512
d96a4c646d5664bca09c87fc42352849e1ae4732387df5251ba7aa9d6c06ca0ce4e0f60e0352cae7bfba9de3cd3e178d600f3d5e0f7b95128ce4699ad7872ed0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+folsx.txt

Filesize
1KB

MD5
362da4f7c253d5c1e01192ebe0d8fb4c

SHA1
13d35a2e115bd5c6cbb98ec901813792ccee33a2

SHA256
6e07a4699dcb9659381bac769008347c5f86d3ed3b4f9af44dd3396a3c79acae

SHA512
982795f7950179f9ace7cd3f82787fb8a016f49a77f61092bc0a5264ec7a92fab632bd116b0e155cff0f9d59409f7757f6d21bf3c1be3fbdf4bd982392033f5f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
31b9dc99985696150816da7bf6cb6195

SHA1
5ec4fb4c58692ac8860fb686d6f3aaf5c46e2934

SHA256
9bfa3b3f77696f6b942b18a0c911cfff4202aa121964798671d928698947b678

SHA512
5dc36b3392f1ba63d5abc7bd6d1471542b31cdf08fe268bf2e21fa2fea842f26845dff3fa5ae492e47227fcc4c72bf4503fb81e05d71506b1ba7d8d31cd43f5b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
052c05633bd9c5a3cf55ad773d1e4481

SHA1
047d7cac5609b56154cf99fb22a5c511f023ce8a

SHA256
66e8cd0ef545e7568a08862eda336378f6a0c31f67be0801ba8e1e46a8664039

SHA512
63866455f57296074c2a9e5a660251458c31cf4a74df9ff588b40c623faff382ebaf20aa010fb6c003761741e49e8158e6aea9299e5fc25bd3108536b8b6c062

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
3f605ba5f106fe2c4d403b63baff0ac0

SHA1
f35b6e1b8b8cb61721b0d3f45db9f2fa3a10caf1

SHA256
3d38f4e5561ad5de39e9d55e1576822fc8df8843623b9d2b731e83bc796ea889

SHA512
0e185ea8e138bb54afa974d84861f5f3dfb48b2ac1636b15f3823a9f41d954b466ce997f4475a9cabe8881ad7b7a1050c1794719fb5d7b7060b6c1a750a24c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a6791e7ec86d5ff63f2c2ff651a20a11

SHA1
312f65d321374779e67554f17ae69ebc7cc87716

SHA256
37afc9b3a43026742039e30daaf84488201b325553280a590756321d9a6b403b

SHA512
ada82647625f122ebb908fa9ddc8e08fcdf14e073dfb51b714e75e5847a87ab585d617aa0fb4036a982d00f5d3dc7075591136f875cac8ec5c6769b0025d4cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
de5beaaf69b5c31da5a534561b21757f

SHA1
0b6d8c8d177e21ebe5dcc1c8623d4ff69a9706d9

SHA256
f1ef00665fe97c8962f6e203b30ef07aa93676070d52ae78d3b4acac9bd19762

SHA512
14410e86830d2c69a390a55baab586a900e54cd02eaab6e703583826e0484d2cc02e0afadd8cb45260874588499af04b8b11dc3619aee604e6f7686c59225d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b59100341cd85102022ddcb337541566

SHA1
4f79e75a953289cb41e831f833b258cda00dff98

SHA256
a6589919f117a846c40e4a30d0cebff8a0c1c87ba8d3030baa7fbad74fecf823

SHA512
25e49e64e45a638236f4649178768e5c1739422df23b40a2f917f7ec95744f9b98b101b9d52ff4cb7da53379f3c53238205ed0d759b1225a19515a7f55409c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e93de2b5665104a8e546370cb7b4b41b

SHA1
487342a5e90d885fc6163d69f16337e0ca239040

SHA256
5d67dd2146636db58492b1b2a69a25148708d6066efe98a184cc53c70dfe9084

SHA512
ee9ec04526949abc2e804e5966188476b6bc7d7477a9c7bcc3a5392f7e87940184b5fb5dd0848ba899289aacc487a89ba6e6c3254b5496e97cea5f8039411522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
01ecc55ae32da469d5abdc0079bf30d2

SHA1
6b7f075665de649ab20f65e30603cfaa650da664

SHA256
e827340ec6816315ff7c47ab4859379748ff97abef6bc8f27b49c13d80a26e72

SHA512
75bbfd9abe1d9bb3376734ac0fa385a19fbd33ed5bfa5047527ab8660f1778a67fc24c0d3cb963f5ad5dfe84a9c1fb389f50c9657e12ae201cf86785c8821ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
475c0adff350a9ac3db379d59fad67fe

SHA1
ffcfc1180a5a95b9557a3be2b599f255fc126a90

SHA256
81f19912f37d41e624315513488e4a6b88c9f186c4878baf4bdfb4b8af9fdf4a

SHA512
92ec3bc020af1e1a1aaf7cd88b6d15a007998e4d240fa6cae034568157eebacaa41d5f62e816c375252421e2d5fa4e091022bbf77a4b1abf912abf61073ec580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
28c853b18dd40433ed6ca96e9ab52897

SHA1
3aacdcb6a458b6b86aa2dc72ea6d14f00a2fb02c

SHA256
7e4aa973fdb52c8afdb9525903702cbc9dcf48f596871149cd6b993c3e7522bb

SHA512
6fdc88e728fd96145e6b7ba679b66a146ad060652385003c9520e5ba128c197c39ae16ec8e88e019f52e6be522caa35fae98e30e740c2c4fe77f4fd071a00dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b7487e3799e62d881f2b7e370b1bde76

SHA1
28ab9e53e77caef20609ebd11577970493c8550f

SHA256
5f4cf7328acf5005e26b1e4a45c5973365c2149b7a3f07d692b107e87413aff3

SHA512
7e1cbb668d9a47ce9aae2318bfc000827ff2fcad67c3e2fe541dc58730b62788459faf00a13a9cd738e718b546a71b593c5b61df7c55ec396b9a682ba96fe6fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fa296e81f94f6939204f6620d3ede1f5

SHA1
a72048141731dbd4d25e8cbe51a6f735554d044f

SHA256
8382eb2e73a9b8ea0574f72f284c2507ac3d0703ab2201c87cea10dee7b6bb27

SHA512
7cc9ed0f29cebd3f79b924cd0ff3b7cd598b232ab28a8f974a12113eb59c092d9076e3c24967b0eb1fa965c6e5a8206641c210868f29f1ca10b3d995238c6940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6c6f3da21749587a8b46ddc5d30376f8

SHA1
0bdc240b0ea7c57dd2e505bea57ab26704a82828

SHA256
5f43bb4cc6bf0b2836137485eccc2bd12c1eedbc46ca5714d59bb34350996b00

SHA512
fc364c11cfe0e4a018d05bba6c1378f7c0b84ee81a9394a2d33727fcd446dcc39726eddfe1b4bceafa3df9972ad83cb7ec3f0ad1974c4224a82d896b6c7f755f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c0be80a0ba550b3b8031bc7c1886dae7

SHA1
c33f0b437a730f595aca47aae6fcf7b4ad6a189e

SHA256
b53cd51b8a809464fe7e52d2aab6100cb43a80cdaacda6b5075879cb78a25f4b

SHA512
686f8926e67ee779453cf2a6cb8f39aee3728071df99058c3ff86408515e6046b7bd39119f3ffe8755b96d9ebfd166bf4a3fd82714dadc1308b1f39e763b7b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e5435c4c6b73b8660e8eed289795ed73

SHA1
7711696074b360cde7e8a69d05e79b25e91c16c6

SHA256
d1aa8e4e601686391eef812ec980c018e2f1b234de5d033504e0e65c46a8f9cf

SHA512
9f8ab72e54d298a75ddebb8f0f5153a134ffbe85eb9e60637708ee135f2bc928021b337c9b36310c0576d6fdd229bd97fcfe79ce78b219dbba4078a32d38cd3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
13eb3a59c202bc5ebbb397b098afac52

SHA1
a25e7bdc8754de952fce06c181ffca37e290dcdd

SHA256
b6e606982fbf5319b895cb6ea7f69e0effd9b783f25fefc7721023a45faf2fcc

SHA512
bcc017a4d797634f039319c66616608cb4fd04f66f543406041e7bae8f692e0e73ac3a87820d4f35544ceffad4d4faf3c359a28dc08e9f4cb9b0485f888328ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b5bdd90d2b924c1579885111cb967a3a

SHA1
6536756c1c7381169fa04b651eb37d74fa4894cd

SHA256
65a870c1d4ce6a95de15170d68fac50a95807cd3159dac081ff62f8b41d21de2

SHA512
dffb4053c1f6ec2677dd64dc65a475bfb6c63dbc62e0b6ef47ef2ab871a1b3327e5991d4f90d54168cfc575598eb3c996e989285b875517c4adab11fe7d0dac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4dd2985ec818807a61ea3bffae49d43a

SHA1
b161ba8460b63c019ba5d9a10755d8e00f7c10b5

SHA256
ef42045cf85f1b708a770ce60f1cfb00306360d663c2da24fa6ddd1ea791d550

SHA512
669da194d3d15f08053cf96021ee13f9974b994b30c3af7686ab2ec05fc2d3d0bea72e8b136eac943babdbc291c4d63c9bd87897e0a18ba84b558f66b07c64e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
da0da7f0a05127fa9a19e76780980fa5

SHA1
41fc4650dc9a28d29083f5d26d6e9ea2418fb70d

SHA256
f30908f81255548c22115889edde3fe838f7deeb294437121055cea6ab472673

SHA512
1afd7a4c302eb49eb4c6d361094b49da490e49e0abed88104537e45e0f2793d12a1434c01e8ecbd721642d16185bc068e664c5cf2053e09a85d10a1046a9d5c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6f55b0921740080df457e2c5700963dc

SHA1
9eb71296fa0eb9b29cc1c61b4201b22d635a6d13

SHA256
8c47bb10bcb2a837fed1800f9771aabb3df231c5a1c76c95d54a4c346b7cde65

SHA512
7abf672d4d906be8cbbf406627e598b9547d7ab24bea002e994c3679d0e89e7f163a292359cb70a1b957eb40e5a10eca61125b57998aa216a8be8688ad36bc48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f6a1c02c01f85c5a8caee452c8729095

SHA1
7c4db1b44a62ab74ff41b1e77a19afa112c57f98

SHA256
8b17713dde27543d488d240f8046f20bf17155bed6a75e22d7d7c370499e6ddb

SHA512
f10905d5641f7bf4a7ae1ac35a94778e31bc5ea0ba898a9bddc00a8ec9e6f75afbed63f678c7e0e28ca22e3313036b96353f08b405b07c1bf927ca53ace63f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
07532c0822388516da57f459939ceacc

SHA1
3e1e4f27d3c6843e469d554e977199be4b6c4a0c

SHA256
b7e508209022362306af30b8624dd26293425fccef41181ed1167fa20e965dba

SHA512
de12ee8518b908bad0c928c86f8ddafff1073018f2c9dc560c83bc11f3c02d3da7d6446cb36f25f0e5b1ffce411a68f6925669c3da390339d5a18c83d4e755f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEEE2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFA4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\sedjjapnyvhv.exe

Filesize
496KB

MD5
62970d3ad9a12b875acc60a0a8310150

SHA1
fe4a5b2f1e43bb0a4776194765b81309b3b133cb

SHA256
153ba034dc65a8a277f8911c555b8126549e35f40fdf4591bbe07bff8427ba16

SHA512
5e71f110d9dee34126566ff7949726adb3ac06ef996201919e67d1396a3ec324dac18c6bc2a4b947fec961b98ea9ef34e627e6205d9899f7f4f74c689fd8ba47

Download Submit
memory/1808-6061-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/2436-6060-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/2436-17-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-1585-0x0000000000730000-0x00000000007B6000-memory.dmp

Filesize
536KB

Download
memory/2436-1357-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-4378-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-6066-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-6064-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-1584-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2436-16-0x0000000000730000-0x00000000007B6000-memory.dmp

Filesize
536KB

Download
memory/2864-11-0x0000000002950000-0x0000000002A1E000-memory.dmp

Filesize
824KB

Download
memory/2864-14-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2864-15-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/2864-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2864-1-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/2864-2-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download