cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Size

96KB
MD5

df80cbaadb754de14c97dc05995fdc4a
SHA1

6f9369c9d2f174b4abd642d4fb43cff690f364df
SHA256

43fbc1ee5c4ef4a5bfdbbd67407c4364e6cf205475250f97138f55db4c77002c
SHA512

cccf010d4344bd574dea5a254800207b8603b1ff2dcae8d4b341c4368976544ebee9fc68632701be3ab41098ab0c6b64f2b61f27063a068777e3bc440bac01d7
SSDEEP

1536:umsz2jF1PzSg1dPVHT4MVyU3NJZfA1111111bilpPXvlMq12Kpuyjg1kFa:hdPV8uyU3zJA1111111bilpPX6q2y8kc

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>HELP_DECRYPT_YOUR_FILES</title> <style> .text { text-align: center; } </style> </head> <body> <div class="text"> NOT YOUR LANGUAGE? USE <a href="https://translate.google.com">https://translate.google.com</a> What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email if we do not respond within 24 hours: E-MAIL1: [email protected] E-MAIL2: [email protected]

Emails

[email protected]

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Ransom Note

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ChromeFlashPlayers32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_8d2f77761c9b74ea.exe\""	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Reader UpdateHardWare = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Chrome Reader Update32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe\""	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeFlashPlayersHardWare = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeFlashPlayer_8d2f77761c9b74ea.exe\""	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File opened (read-only)	\??\E:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\K:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\L:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\S:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\V:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\B:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\G:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\I:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\N:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Q:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\U:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Z:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\A:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\J:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\R:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\T:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\W:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\X:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\H:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\M:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\O:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\P:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened (read-only)	\??\Y:	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Program Files directory 8 IoCs

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files (x86)\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Program Files\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

Drops file in Windows directory 4 IoCs

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File opened for modification	C:\Windows\HELP_DECRYPT_YOUR_FILES.TXT	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
File created	C:\Windows\HELP_DECRYPT_YOUR_FILES.HTML	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.execmd.execmd.exevssadmin.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.execmd.execmd.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.execmd.execmd.exeNOTEPAD.EXEvssadmin.exeIEXPLORE.EXEcmd.exevssadmin.exevssadmin.exenet.exevssadmin.execmd.exe2016-09-19-EITest-Rig-EK-payload-CryptFile2.execmd.exevssadmin.execmd.execmd.execmd.exevssadmin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet1.execmd.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.exevssadmin.execmd.execmd.exevssadmin.execmd.exeWMIC.execmd.exevssadmin.exevssadmin.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
316	vssadmin.exe
2140	vssadmin.exe
1824	vssadmin.exe
1976	vssadmin.exe
2172	vssadmin.exe
912	vssadmin.exe
2636	vssadmin.exe
2672	vssadmin.exe
2840	vssadmin.exe
1356	vssadmin.exe
1608	vssadmin.exe
1736	vssadmin.exe
2688	vssadmin.exe
1676	vssadmin.exe
2192	vssadmin.exe
2520	vssadmin.exe
2240	vssadmin.exe
3008	vssadmin.exe
1028	vssadmin.exe
808	vssadmin.exe
2564	vssadmin.exe
812	vssadmin.exe
1192	vssadmin.exe
1340	vssadmin.exe
1144	vssadmin.exe
1980	vssadmin.exe
292	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471360"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C56F591-9FFD-11EF-8B93-E20EBDDD16B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000638300c21e6dbc6097510ba41fa23c17137c3122150947f0188c04541dd3b117000000000e80000000020000200000001f1125cb999dcbccf39efb0fe9c3f8dff5234e6e110a8ba3ac7a0b6d61454aba200000000554581624d323612bea68ebbd64c2f2f54a2ca0bcea74c2a4508f9ec8473df740000000d08fe369145b6a9490460244b7edbf9816cb5479bde2c9fd4f2d633d360d8ff99759554c288c9e883a9fdce7f2956c478f0ab743fc812423ad82231b4619e18b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08bf4f00934db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000006fcd4c13ab98c8979ac0af84f6b71f22485d773a0956f102117824fddcf0b771000000000e8000000002000020000000eb8a3707c1d760bb01077de6cfea2c448ca2ce8d133f58b60549e375f734ea9290000000477125af92d6a6559c799eb521da4c3d75890658263c8b3550395b68fca9624643553f2f74e2b819540ffe85d2a6cf621426f69c0abbb24773a466608123834654000bd1d0c61e8b57e05c0980e1aea7c749067bc1838246465f710cd120c6d097aa98b77c875448a4712c7e1d9fe6c0ef04f87c0518f8546c9ac414d55dc6d73b8b8514840ed64796132c62c8b91eda4000000005451b370a0f56a1ac9d1db07f36a9d2fd36d257c3b60e10f65d12dfd449a1f71d536a284e31ba740b2573c4823ef3a928ab79b5cb2f945dc97267c380a5325d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
556	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
2256	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2256	iexplore.exe
2256	iexplore.exe
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2016-09-19-EITest-Rig-EK-payload-CryptFile2.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 956 wrote to memory of 1892	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 956 wrote to memory of 1892	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 956 wrote to memory of 1892	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 956 wrote to memory of 1892	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	33
PID 956 wrote to memory of 1088	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 956 wrote to memory of 1088	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 956 wrote to memory of 1088	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 956 wrote to memory of 1088	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	35
PID 956 wrote to memory of 2040	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 956 wrote to memory of 2040	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 956 wrote to memory of 2040	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 956 wrote to memory of 2040	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	37
PID 956 wrote to memory of 344	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 956 wrote to memory of 344	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 956 wrote to memory of 344	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 956 wrote to memory of 344	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	40
PID 1892 wrote to memory of 912	1892	cmd.exe	39
PID 1892 wrote to memory of 912	1892	cmd.exe	39
PID 1892 wrote to memory of 912	1892	cmd.exe	39
PID 1892 wrote to memory of 912	1892	cmd.exe	39
PID 1088 wrote to memory of 2144	1088	cmd.exe	42
PID 1088 wrote to memory of 2144	1088	cmd.exe	42
PID 1088 wrote to memory of 2144	1088	cmd.exe	42
PID 1088 wrote to memory of 2144	1088	cmd.exe	42
PID 956 wrote to memory of 1536	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 956 wrote to memory of 1536	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 956 wrote to memory of 1536	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 956 wrote to memory of 1536	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	43
PID 344 wrote to memory of 292	344	cmd.exe	45
PID 344 wrote to memory of 292	344	cmd.exe	45
PID 344 wrote to memory of 292	344	cmd.exe	45
PID 344 wrote to memory of 292	344	cmd.exe	45
PID 2040 wrote to memory of 1676	2040	cmd.exe	46
PID 2040 wrote to memory of 1676	2040	cmd.exe	46
PID 2040 wrote to memory of 1676	2040	cmd.exe	46
PID 2040 wrote to memory of 1676	2040	cmd.exe	46
PID 956 wrote to memory of 740	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 956 wrote to memory of 740	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 956 wrote to memory of 740	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 956 wrote to memory of 740	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	47
PID 956 wrote to memory of 2052	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 956 wrote to memory of 2052	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 956 wrote to memory of 2052	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 956 wrote to memory of 2052	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	49
PID 1536 wrote to memory of 2140	1536	cmd.exe	50
PID 1536 wrote to memory of 2140	1536	cmd.exe	50
PID 1536 wrote to memory of 2140	1536	cmd.exe	50
PID 1536 wrote to memory of 2140	1536	cmd.exe	50
PID 956 wrote to memory of 2176	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	51
PID 956 wrote to memory of 2176	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	51
PID 956 wrote to memory of 2176	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	51
PID 956 wrote to memory of 2176	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	51
PID 956 wrote to memory of 2456	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	54
PID 956 wrote to memory of 2456	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	54
PID 956 wrote to memory of 2456	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	54
PID 956 wrote to memory of 2456	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	54
PID 740 wrote to memory of 812	740	cmd.exe	55
PID 740 wrote to memory of 812	740	cmd.exe	55
PID 740 wrote to memory of 812	740	cmd.exe	55
PID 740 wrote to memory of 812	740	cmd.exe	55
PID 956 wrote to memory of 1944	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 956 wrote to memory of 1944	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 956 wrote to memory of 1944	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	57
PID 956 wrote to memory of 1944	956	2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
"C:\Users\Admin\AppData\Local\Temp\2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Z: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Y: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=X: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=W: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=V: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=U: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=T: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=S: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=R: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=Q: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1704
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=P: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=O: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=N: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=M: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=L: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=K: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All /Quiet
  2⤵
  PID:868
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=J: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=I: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:236
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=H: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=G: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=F: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All /Quiet
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=E: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=D: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=C: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=B: /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /For=A: /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- - C:\Windows\SysWOW64\net.exe
    net stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" bcdedit /set recoveryenabled NO
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set recoveryenabled NO
  2⤵
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2256
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2636
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1822762211-158416121773534858221467187870380233711238535671277788979385332675"
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
57822a64d552903475a93bfe2ec0dd52

SHA1
c8e9aa9103ce46820574517cf76f4a4712d833b1

SHA256
d6309e4da77dca5a4212383d7ef27cece1b5f936be48e834712aa53dab7f3067

SHA512
b7ce999a200c676ac2b7115196b55ca639bf60807bfa833f46e93532ff8c5b06e9d02f4d7bb46928e7c0777654ae7240b7ea8e2722988eb013d74feeeead3ff0

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML

Filesize
2KB

MD5
9a64005b176a3edcf8c1c47e41afb7a1

SHA1
0459a9f760b603d2c50e8c2beef3c3b36419167d

SHA256
26221c67c79e42caff4541636a938a8d8a5dd1419ef12fbb21c99d51b46ecff5

SHA512
24dc81bfce6c2fb1a8feb2ad9282f5453e626eece05e709588b230da74dc291ffbeaa63511911822bd711ac05730932ab2e13bcddbcf4f98e6c1d8c59821d265

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
972f9c7ca92bdd403211c676f58ec04e

SHA1
5c55e21f43c2679723a8f12ccb62513d0de8e65c

SHA256
4cf3e907cfd20fa534421e0dc3ae894d24cae11051fe4281b9696bb91af00e58

SHA512
6d04a6b40a2d39a864200eb5a60813de0e11fb9aadbeecfbbbf98181fe5e7dc686d347f77e5464b9ead7b8f023431b59e2b5ed52b635ea66014241f1178a7170

Download Submit
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Filesize
3KB

MD5
b95ed4a8edef8ddea3f6cab2777cf821

SHA1
42c3d2b6f39779b372bd437cf3f47c10fb1c10e9

SHA256
7e271b1e1c810d49c214592db2f0cb40c2154af7d56ef326427d9cbfa0be236e

SHA512
c45baebb7c4636c341c1418267b7fe41b40cd7994719bee83f3d171d6dc69f11b311c1424135f6e7b12f0738faaa626fa86278814bac8c19e9fc844931914c9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c453001e6bd7d85f5276186eb2e8f9d3

SHA1
5386b889ae12610f5fd82601db8c021c3028da4b

SHA256
780c327621c69e3cdbf5c35edb0498bf5321ba4622e101c929e5574bbd58b82b

SHA512
29334314643085ac6164f46b9f5ba74097659516c0c54f4719968a9f0207979ab744648b7c2d6a5dfe4988b3c8ad832199a590328c972f3b0433467871b79ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a1dbbbbf06ae9de003432a032db4c54

SHA1
4ecad120ce5d230ace6afbb1be84846318f326cc

SHA256
84ab7f5fa9649ca8872e8f17987f7bbebed5815a71316602599e7890dbb59ef2

SHA512
59bfbee80d3696ebf31d05f4f14091bf18803e83d0f961f69397c6c87116e393556fec9fdd600309725786a9f081b7c3af4099725785d13089e729b8aeaa597b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
745cb2d0a26f3bfc403ad52bdf38e96d

SHA1
9e9afff480e65cd4e9e04ce08af6aab53b43cfd4

SHA256
58a370b2be1d87b6ea0bce032124502a1177101df367fac2b87fa321241989d1

SHA512
392019fee9b89fea5ec0a2d7eee4ae555c52b7bc9a30179d80a8cd15d5ec0e2689d72e142b3589763ece9f2a1986b7d57a3fcc3ef5ae98d85bec92cb89700be4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f1ab34ad23af73b34b9aeaafd37b20c

SHA1
7e6f1679cafbe7e512067ed1fc2179369f72383d

SHA256
67e0d37fdf883ac6365e1ca49cb9537ec5014a964fe021891309cd1a50e01891

SHA512
ef9870376c190f1ff4743ffdfc225be66ae435f3c4ad5c5cecee67846fc57b824f94eaf947dba1c82c12f92d8488f20b11e95b5154d81c39deba41b94526321d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f104573d4588257757a5c05c84947bc9

SHA1
08bdd86a5318bb51e3ed895c9b957680169b2075

SHA256
ea1ea2a37eb5be1539a53c075ee9dfee830c541e0f23d38d9807388f80ac4742

SHA512
f0d09f80cabf00fa67a7003f629af6d3d6ae51e6c7d63f3b28ce241aa85d7ca1ef616facd956a7c3edff401b3267e07f20f1b6cddf65eebbe6c8c3c63511487c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5219f41af5d8f11f861af16529510d05

SHA1
48f52a46a6b541eaadc79015a1f44faed1914708

SHA256
400a854dc68e3247820e2488522628c0368330823c62dd5d80b4db974c1afba4

SHA512
ce6fc066011e7b8e2ae904b4c3af9de63ad8687dde43c8f6cd5e78b03527d27e37d2c7590dcd00afed7726e9a027c8c43c3f66e82680be99ab0146f5d7f1cf7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c71c00f61e36a6ecfeb19700f3373ec9

SHA1
8f1bec941ba3a0b744c52aa92e01230147233390

SHA256
feb94454d42489dd4b1799f9fb0a2979ca6ca06e11a01c2cb359871a44a164f6

SHA512
8c8d3b1c47e398ed38a269955bc189b53b6b9bf3cf717b6d45d5b86d9bf39337b6debd6a4728ce80b58796fd8911292c53cfcd90e40ad5d68dd2eb425d20a892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1ad4162a2321cb44014352788783e34

SHA1
3f766dedd6fa2ab41bd8250c394c3d14ff19f021

SHA256
34394622bf0d78ff76dbffecac39c55a11c575ee4b36c0167f948317a048f565

SHA512
3869bad207c84db79359b2c99d63078f9e3711ff13c66087e725d0f030b0b97942f32026068592ac5d0b346ff612c3a0db86b2dd624ea9980d4d9d173fd16c1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b85daeb279dad6bd8601343da224a51

SHA1
0d000487a208e3c95ac81b488e04fbe91092e9d2

SHA256
e9fb8c3d069ef4d2c87270cbf019c75af5758f2db51aa72af7299c118fbc486d

SHA512
1fc72bf77203da6681847687d31097c685d74730e9d0497ed1cdf052f46e8e6091d5fdac2a72d1a6ccfd562c9aaadbe02455c8880c4a5108fc348d8078a71616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1de600ec133c3fdfc45bc7936055d05c

SHA1
af8b68434fc17c516d5b91729dd23225467671c7

SHA256
e509130e427e94ce9edda80d7ae614c888b8a0814830200d1d74bd94b636e122

SHA512
fdae0a34213302695d3421a3dbb0744819931ee0668a90099948193cc5fc484c9b8db2a325f2e8013c1f70e272b2712fea20057f2e222dd28120d4c26a0d2139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9951d7e6c604102ec5bcc01c1c1e5188

SHA1
9a5498cf882ba4d88ae49ffd02a90cb341fdef43

SHA256
339efd7ef387e77387fe8f8832d459f67dc190fed98cfd95cd165b6466186c9b

SHA512
c215741fddc50cc8379d2518844cd467e0851432fb698f53e164eac51fe0a3883a3d6f31f45300b9906cd4fd26578ff533a125c968b966072a8db435299d8cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a755ce271a06b08dccfc88cc1cc11a1

SHA1
49ce9ee825b11422a933438498a9f0255b2d5146

SHA256
10a6d157acf744cc2e18213d94b34be966a877c4db75931515bd1a4af5a29ebc

SHA512
73375ddd8dec66ead06f57dd8f4d5daf8fc3d69bf2735684127ffa04cb4f127a79a5621d68adbdd5148cad076513209f1e6cc0b5ec07e15eb1df3a6dc07aa364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d90247f6b9d50fda13b57596de3e5380

SHA1
28e260651fffe51eaea47bbf1fa74c5191a7607d

SHA256
e9b984031b4f6f8c87f239f7ab06e6c12980635d1387b54c88b716e0d72f6f2c

SHA512
1510b9e23f752f28b043de408ee740232cf711ff23618d4e0c3ca54f47e861717201d69366de280b3c98696d242ac5d2af22a4df891b8f5f10a9ac6a01f324bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF38.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF6A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/956-0-0x0000000000090000-0x000000000009B000-memory.dmp

Filesize
44KB

Download