cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1553s
max time network
1553s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Size

77KB
MD5

e736d07744f89f05460b1f12daeb8172
SHA1

19fb70308f0d47947eb6d2d5b572e96539d345bb
SHA256

ac50a0eeec0bddc53420d110cf8161fd17c53a4136992132b2fa5b0c09a84cce
SHA512

e9c7c6112940eda234e3fce2579ccbc38552c18df01a7f2642174e097d80f35594245b3d3b425e88e47e40113042788ae802b0bcb548c641bb2f23d776c78316
SSDEEP

1536:qbhPdYbPd5FX05V6Mu3DmQtxRS6oAZx0pcQb3iqt:i5UX05V6RiQ3E40pjt

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 5fbe57e1c9b74ea

Emails

[email protected]

Extracted

Path

C:\Users\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: 5fbe57e1c9b74ea </div> </body> </html>

Emails

[email protected]

Extracted

Path

C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_5fbe57e1c9b74ea.exe\""	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_5fbe57e1c9b74ea.exe\""	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File opened (read-only)	\??\G:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\E:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\H:	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Program Files directory 8 IoCs

Processes:

2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Windows directory 4 IoCs

Processes:

2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WMIC.exevssadmin.exevssadmin.execmd.execmd.exeIEXPLORE.EXEcmd.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.execmd.execmd.execmd.execmd.execmd.exe2016-09-16-EITest-Rig-EK-payload-CryptFile2.execmd.exevssadmin.execmd.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.exenet1.execmd.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.exenet.exeNOTEPAD.EXEcmd.exevssadmin.exevssadmin.execmd.execmd.execmd.execmd.execmd.execmd.exevssadmin.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
2340	vssadmin.exe
2844	vssadmin.exe
1692	vssadmin.exe
2856	vssadmin.exe
1944	vssadmin.exe
2604	vssadmin.exe
1184	vssadmin.exe
2480	vssadmin.exe
2244	vssadmin.exe
2468	vssadmin.exe
1828	vssadmin.exe
2348	vssadmin.exe
2560	vssadmin.exe
2868	vssadmin.exe
2176	vssadmin.exe
2768	vssadmin.exe
2932	vssadmin.exe
2252	vssadmin.exe
1636	vssadmin.exe
604	vssadmin.exe
544	vssadmin.exe
1556	vssadmin.exe
2240	vssadmin.exe
2212	vssadmin.exe
2628	vssadmin.exe
2068	vssadmin.exe
1704	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000040c8a1c8fe91f3661913c89a4a78676c07c45ded6abef95f752d8e42a146fda5000000000e8000000002000020000000fd2207c5f40aded1c5601f9be50283ff2650ba6377e981c424fd6b30004d4ff1200000003d5be176b5da9a3175e6e6050dd5f364ca8db0a082e03d4e0f51ef5895a4711140000000566a78f5bb46a8b812271eddb132fe834ca14716358130754b4e9916ecc52fca33fb32e93a940b13bc82161035d7319f16eaa134f3352c6f74f7b18e122e1627	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000093cd4da00af46fada543d1a839fef201fe06af65dd94a83cce10f81e54383443000000000e80000000020000200000009402ccbe5b3a0719b8144c5eb4cc14f0c711416d1036206ae4a8defc7a5d9de490000000924206d7078f2e8a5dfc346ade284fab18f5ca1bd70de76efdd86f6816da5481cb355fb0bafee243d281dcfbf126551b8e51eb87b9f9eb3221a2506aa5d7d1cb891325e9ae076007ff93927d080932a98f3170b957c831050d49f709bfd7e02affdeda5915246b9eb7039a8cde059f60e6468856ae9bbb2b9c3ef1a6b7a63eb510680cd7ca0ff54e7f535331d9f63bfd400000006dfbe72d989dd4931ab68ed26cbc16f9004af40dfc1537ad968aa4cdc740b6a3055507619b3539943598702ddf04456b19cf975d760e01b30bd4a04aef37fd06	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33955E41-9FFD-11EF-B2CD-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471399"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604f0f080a34db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2836	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: SeBackupPrivilege	2388	vssvc.exe
Token: SeRestorePrivilege	2388	vssvc.exe
Token: SeAuditPrivilege	2388	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
1832	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1832	iexplore.exe
1832	iexplore.exe
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-09-16-EITest-Rig-EK-payload-CryptFile2.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2132 wrote to memory of 2492	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2132 wrote to memory of 2492	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2132 wrote to memory of 2492	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2132 wrote to memory of 2492	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 2132 wrote to memory of 3052	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2132 wrote to memory of 3052	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2132 wrote to memory of 3052	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2132 wrote to memory of 3052	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 2492 wrote to memory of 1184	2492	cmd.exe	36
PID 2492 wrote to memory of 1184	2492	cmd.exe	36
PID 2492 wrote to memory of 1184	2492	cmd.exe	36
PID 2492 wrote to memory of 1184	2492	cmd.exe	36
PID 2132 wrote to memory of 840	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2132 wrote to memory of 840	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2132 wrote to memory of 840	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2132 wrote to memory of 840	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	38
PID 2132 wrote to memory of 1856	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2132 wrote to memory of 1856	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2132 wrote to memory of 1856	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2132 wrote to memory of 1856	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 2132 wrote to memory of 2120	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2132 wrote to memory of 2120	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2132 wrote to memory of 2120	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2132 wrote to memory of 2120	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	42
PID 2132 wrote to memory of 912	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	44
PID 2132 wrote to memory of 912	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	44
PID 2132 wrote to memory of 912	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	44
PID 2132 wrote to memory of 912	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	44
PID 3052 wrote to memory of 1820	3052	cmd.exe	45
PID 3052 wrote to memory of 1820	3052	cmd.exe	45
PID 3052 wrote to memory of 1820	3052	cmd.exe	45
PID 3052 wrote to memory of 1820	3052	cmd.exe	45
PID 2132 wrote to memory of 1688	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	46
PID 2132 wrote to memory of 1688	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	46
PID 2132 wrote to memory of 1688	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	46
PID 2132 wrote to memory of 1688	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	46
PID 2120 wrote to memory of 2068	2120	cmd.exe	48
PID 2120 wrote to memory of 2068	2120	cmd.exe	48
PID 2120 wrote to memory of 2068	2120	cmd.exe	48
PID 2120 wrote to memory of 2068	2120	cmd.exe	48
PID 840 wrote to memory of 2252	840	cmd.exe	49
PID 840 wrote to memory of 2252	840	cmd.exe	49
PID 840 wrote to memory of 2252	840	cmd.exe	49
PID 840 wrote to memory of 2252	840	cmd.exe	49
PID 1856 wrote to memory of 2480	1856	cmd.exe	51
PID 1856 wrote to memory of 2480	1856	cmd.exe	51
PID 1856 wrote to memory of 2480	1856	cmd.exe	51
PID 1856 wrote to memory of 2480	1856	cmd.exe	51
PID 2132 wrote to memory of 2328	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 2132 wrote to memory of 2328	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 2132 wrote to memory of 2328	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 2132 wrote to memory of 2328	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	53
PID 912 wrote to memory of 2244	912	cmd.exe	55
PID 912 wrote to memory of 2244	912	cmd.exe	55
PID 912 wrote to memory of 2244	912	cmd.exe	55
PID 912 wrote to memory of 2244	912	cmd.exe	55
PID 2132 wrote to memory of 848	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	56
PID 2132 wrote to memory of 848	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	56
PID 2132 wrote to memory of 848	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	56
PID 2132 wrote to memory of 848	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	56
PID 2132 wrote to memory of 2556	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	58
PID 2132 wrote to memory of 2556	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	58
PID 2132 wrote to memory of 2556	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	58
PID 2132 wrote to memory of 2556	2132	2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  PID:700
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:648
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1832
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2480
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-299117054-525103736679245240826727249-428045725-2673089311743751209-737535179"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1281969627-8119366-333890013645119478-7355996727268638952011245872-1455148539"
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
9be06be93d0675af1e6f99f8f98af927

SHA1
49b74f1dcc625a3cbd1578861d8455447b117ec3

SHA256
681bf02b094128b3e00871517bae12197e58bde888047c51c19c7ea98cfccf3c

SHA512
e5509224c0ce339379c4a42543ca2701e2f4e8d82191a6bf20174228106bb717b388eb58cf797117c2c8e98f182b1b9bb89f3e1d7fa02efb6c384db8e0c21bb4

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
117a5728333f448403420892c942a1ff

SHA1
95fc37374fc3dbeea4c9ef0802457a7664de114c

SHA256
49e5829da3f03174e5c521b3ebbe1aa3c64780fdce8d70b80eb7d387cf944c55

SHA512
a4335fcc6307608b0ee709617973f111449ff731fa1b9caeb754151e5ba988b190c40ec79dc1dfdb75d1bee3ed7b445c05ec3aceebd9af05f5f2d796cb3a558e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f19e6e9a3add13e7514028530af5deb

SHA1
9de8e91b4183b2807b139f7ce5c45b4b0a08e0dc

SHA256
8866ed305e95fd9cf84610596302e20337c3ccb4c7257091b92953bb6f9b10e0

SHA512
f9caeb314a43677791949377a6b8bbbd22c448c1cbf39025d5da9f948b909c616e101b08960710dc96621e263be2bdb42a336ac7b4927c5e988a002ec9127c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44753ededd20d83aef54d1760a090e7c

SHA1
52d0bfe82ddf5e8ca23e41c1596d69310b9c3696

SHA256
e54687ccde68f8463105976f864ac0360afc02bda6a1824f2ddccf42258f5eb7

SHA512
173d636d9047a403449923099f6d3ee9bb5654bc389af0d9dfa8c77fe9a0efd7256c2473475335218f884de83f815a8b65bbe19da5af2d75632d352733ef63fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f29735e14572fa322d8c667e85a8d18

SHA1
cc68bf1afa44c3d81019953b096d4105f0dc7fc7

SHA256
8f5ef0b8a702ca84b54975ebe271326a78b138efac29a71195cd07c8b6efd82a

SHA512
dfec4a3f535819aa1d25871135a7e259ff13892e1ebd740a5b02495052ccae0d43553594df99cb9d3b2504a0c1ce6fc3140c39e63458717ab2a851f647a6b9ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b83ef6a3f4ce4e55e53491209d9c94a

SHA1
47524c6713be0798b61148535845f23fa6202bc6

SHA256
f1a3d09e9c5b47248861b6e1cc2e1640da5cd117fa28a82cd83305945e274c05

SHA512
d32435d3a7c550ee5066b8bdf3742a322cd7ef386ec07cb54ba38c96ac5705731c7415fd4b834b2275142bd7a9cfd377d2b94f082bbe9022e5cc227bd83deec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
243395989bbb161ba985fe4e7aaa288b

SHA1
4ae60072ef5e9edcd38232e4e3810ea5e6dedef6

SHA256
787285951dde467887eafd3bec508f8d08baf93c835552826a7bb762e55c0350

SHA512
af0a8a9ccb7236efb78bf2a242905150bbd29e280a1b58b0b3c596515c366073d2769017ea4b4b9bea2beabb37715aa88db2c5aad502c63c7a1b3f90abdc2ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
651030edbae1920cfdddd1c6f1bb6418

SHA1
fddd1b601684857dd0a8395e2242dc174a1082ba

SHA256
90b7bee368c878aaadb38d4660798efeae3cdff859821f001da3b3d2842eb642

SHA512
b16688147fac76b1f9274c166ca3fc4ccdf0f9f14e0662ac5ef9fe98b9aa2765a63735561d40d2f1d3e5a93356cad8935bb64d03c23d5698edff911abf03634d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfcb05ae71a84a0c1f0f9ea437f3f565

SHA1
f22dcf06a3bfe4f86f6e689f1dd0faaf59f09363

SHA256
fdab27bdd136a898cebec2b9d8586a1cd058a3c582fc77dc0e0f25b1e02f296b

SHA512
707ad724f8fa4181e76800368edc2ffbfd834205d88d843a51a8e646d300ab164105224f27d085f233b162b56cb3437e4d58335f48384a13fb146f4d704afccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6978f78444c41f29be0d47189db7390d

SHA1
ea8a6c2adf00330f79e08beb50b4a30941aa1985

SHA256
e698f8da289b07b167b242d0bf48f4ea95b7929c024250e0b18644de68752302

SHA512
0184e74aafeaf5101ea0b9d99c543d87a6fb779ee8895cbb4e1e944677bdad35e2e6cdf482f24dd635eeb9bdf0b4e089e91e98bb8d67eb829fda197ef57f4f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c03268a98598a5b1b5ee7ca6e7e2669

SHA1
ece56e1bf05a3231246295199d65595fda3603d3

SHA256
7a2cbf78090d3ebaec2c0a4fe2e1cd61b4c95c6354ed2a9f11513b898220e7bb

SHA512
ec168660a78a08512041ea9a1df43ea57a9adb999a7dcb1e368a90143d95ce086767ea13de0c20584aed7ea031353df8719bca3ad53bf6faa0da0d9a536391a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d28d3613f5196e77bc37cbc662a91131

SHA1
c8f81bb38c2dacc82b2dbefd58c11af8d4e6b4f0

SHA256
fc38fe377058b647540d5c5230e2d601270d7b217d2300ae6adec562932c8eb7

SHA512
4bb1b0732cd9cbc8a7df36b8888b7044fdbba555727c5d5b381482041d5f211c994176c5f43c52d6ad5fb7e5171c62fc97108c2d2726f0491eb6cb87601d1a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30fcd928af2a8c70a53f45c0f5a89826

SHA1
c5b00965754e0bdaf1deb2916a4355eeedd9ecca

SHA256
ef1bd33e23233666f0f53759d8dfb08e52f4f2fc1a72239cbd3d428168ecae4a

SHA512
1597907ccf4980d900b98d4c733acebdae1b122affa1c1f43c5ba36007afeedf606480ee360fc48bc2834247be43e1f45170f70c21c8bd89795c49d34af49dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d3fcfef5504ffe9f974fb7b7f6cdcec

SHA1
9a6404adaf7c7d4bac9ddf159e88db9fc8a5deb5

SHA256
5c68f1acf1de447560741c78fdef2f03e77b6ffadb642e9f42e06e25699b338c

SHA512
22f09f96bd1e69990cab05b84e196ed8b6ee63018328fcf1d45a9603a8fc32e0646bf5d7190a9c72a6666ca5c22d9965dc46dd6e4f367b0821321abce559a166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b029b964d0161aa93f8b0c46c1d0db71

SHA1
5a0cd6c1f9b9ff957ad64a70a390af88f2d8f0fa

SHA256
22877d95d19ce56d2adb11861135d47743416f0d1cc55096f508a0524130e829

SHA512
e93d963f3477057665a60aaf7ac5508462cc227c751b52947269675f5da46d69fb0638936345d81758dfc82fa2c97415688dd3ac5f85abc0eec203c02bc30cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e474320f67016621cad46688670d80e

SHA1
df84490baaa28ad68695837c4db5e5e98633ad51

SHA256
08f0d15acad5cc0bfc4a5964822b5bf64226536cd81f097a83161dd0c9d0fa2e

SHA512
09dd81972550cc096f4a238272dde057632c12e9bf4cc671a1fefac635ba19319b4388dc5a9b16ea5f7dde673048b1b4fb4a92aa3b6afe81d85e5e8bbfae9b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77584001b6cf10bd6c1e256884d7d7a3

SHA1
0840a77430bb27599544e2315436a77ebed447ef

SHA256
e88cdf6e801d2b05b671f644afc71ae9f3a7537c1d6a4124d27fcaf3d13113f1

SHA512
8568db50e49f4e05c1f83a21033b5b97af82c0b4a69953d1b62dfd4a5b12f27294e97777f9ac4be285181eb11539b0505ba4823ef96b475bcbfe3419596ee5c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6db65946940abe6bdd6f693b4799a9e

SHA1
02a2532edd05a708a18d18a27832983b2fbc2cd9

SHA256
ff3da8707561cc9d2f15be7820946bb411527477676315048e52df9f125f2706

SHA512
1e6699327ef6d7e8f70ba84f6529ad538ccce5e241167330174008c3c4441ac6193546c77e835822b423d1cdcc2fe0682df8b86eed48f72d09a7eeba068eee0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b242c41f852b7fcb3734d4dcc22c9668

SHA1
956a905843855cd617fbe720a6474d7bc1ca8613

SHA256
db71d79bc77e66f2b0a7326879c88451b9a1552642cbb5967eee143195742de0

SHA512
850e92284b7caf0ff5db7068aad84feb9f7aa4a72b6bca39b6bc6b309f9f25a60d6dcba94b29ba9240e643896f869290cbc54af73a7fc5879f8ee029b2eab7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f3ced8d7a59a30abe3f300dfe2f019d

SHA1
ca9b5b47610720d69cbd5bea438e6444b436d771

SHA256
c9afd94c85e6e40f1fec93febf72d1f2dfd1363a15653f3de52ce5953208fcf6

SHA512
91621709cc070a687792ea2a53affa7f7f12337bd858b59425254b0bedf4c6449f62d3616530fe9697cfc14030e57545ae6cd2c718f1ad94ba2582ec5c209aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f967c7fdbf4a6ce1a237964ca6e33a2

SHA1
fdde604ba1d5425d8091f22dbdd1a745a4d38ce2

SHA256
70721f93e1057725ff76d042b3af6df332e992a2bc208c742cfb8fa3881253ce

SHA512
c78c1cb092ba3fd7e465e5c96ccffba8b3379616854a19891e4db2adc5690e63593987f00b7f12d254431fc361a5e2aff7c75c67642da12db78c5944f32ba880

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF71.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF010.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
f1efed5ad740eb5985f3dc142664959c

SHA1
f06aeb1e8a54ba0887b0d5af5c59288cb325387e

SHA256
d46e0b583276a7c33a677c3cf85305e42fb1cfc92816796971c83f5cbe40d635

SHA512
afc754a7d1218081f9ad95b0f2b47fdea608564d3c0dc04fa69f9c3e7fe3f06d7d4487be5ca4c5beb32e44996aaf59edb05382865d569a4f707d7a80170cfcb4

Download Submit
C:\Users\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
10a6f4dc56e5a278355e10ecbc5d4df5

SHA1
071ee57fec7392c87bb788f44677a9b4252d62f4

SHA256
84b697de5273236448752e6855302e7ff4dbb475a2769adb00fa1de31f43287b

SHA512
336df7be813a7fcb962ca01aafe55cf776db86156ac85ab1d74261a480a2c1d5025a5a85610cd783e5edc3e1cac718775bb317450cbefb7c0d8f79db8456aba3

Download Submit
memory/2132-0-0x00000000000F0000-0x00000000000FB000-memory.dmp

Filesize
44KB

Download