58e30f939535c1c2d65fbab197f4a6816931522b8513d8261154eb86f6e28579

Analysis

max time kernel
67s
max time network
64s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
Size

328KB
MD5

3ef478a7c898e91f09385da44555d986
SHA1

07c1f289891b59892ae45253ffdc969f11267ac5
SHA256

1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
SHA512

e67b411fbc1a05a6482b03d8320fad0bd08836c5fa651b435473ee3233bb62240c1ffaab1ede7f58fee9eee70f4e313a230411a143495e2d30826546148cd4d1
SSDEEP

3072:uhl75wtMO7RTbcA6Ao7A75PeunlG7m//5/vZ/5TVk5ixJNe4yg6bMtJWPhyhMvcc:E5sRXcTAmEFRJ/525caYzfpCHFc8j

Score

9^/10

credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7831) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TAG.XSL	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Christmas	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00688_.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105282.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\DECRYPT_INFORMATION.html	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeIEXPLORE.EXEvssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
37624	vssadmin.exe
37780	vssadmin.exe
37212	vssadmin.exe
36024	vssadmin.exe
36396	vssadmin.exe
37856	vssadmin.exe
37804	vssadmin.exe
37884	vssadmin.exe
37768	vssadmin.exe
37740	vssadmin.exe
36080	vssadmin.exe
37868	vssadmin.exe
37620	vssadmin.exe
37700	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F5E4CB1-A741-11EF-B5D6-4625F4E6DDF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 37528 vssvc.exe
Token: SeRestorePrivilege 37528 vssvc.exe
Token: SeAuditPrivilege 37528 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

37580 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

37580 iexplore.exe
37580 iexplore.exe
37672 IEXPLORE.EXE
37672 IEXPLORE.EXE
37672 IEXPLORE.EXE
37672 IEXPLORE.EXE

description	pid	process
Token: SeBackupPrivilege	37528	vssvc.exe
Token: SeRestorePrivilege	37528	vssvc.exe
Token: SeAuditPrivilege	37528	vssvc.exe

pid	process
37580	iexplore.exe

pid	process
37580	iexplore.exe
37580	iexplore.exe
37672	IEXPLORE.EXE
37672	IEXPLORE.EXE
37672	IEXPLORE.EXE
37672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 2292 wrote to memory of 35952	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 35952	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 35952	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 35952	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 37416	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 37416	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 37416	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 2292 wrote to memory of 37416	2292	1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe	cmd.exe
PID 35952 wrote to memory of 37212	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37212	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37212	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37212	35952	cmd.exe	vssadmin.exe
PID 37416 wrote to memory of 37580	37416	cmd.exe	iexplore.exe
PID 37416 wrote to memory of 37580	37416	cmd.exe	iexplore.exe
PID 37416 wrote to memory of 37580	37416	cmd.exe	iexplore.exe
PID 37416 wrote to memory of 37580	37416	cmd.exe	iexplore.exe
PID 37580 wrote to memory of 37672	37580	iexplore.exe	IEXPLORE.EXE
PID 37580 wrote to memory of 37672	37580	iexplore.exe	IEXPLORE.EXE
PID 37580 wrote to memory of 37672	37580	iexplore.exe	IEXPLORE.EXE
PID 37580 wrote to memory of 37672	37580	iexplore.exe	IEXPLORE.EXE
PID 35952 wrote to memory of 37768	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37768	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37768	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37768	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37856	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37856	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37856	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37856	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36024	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36024	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36024	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36024	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37620	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37620	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37620	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37620	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37700	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37700	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37700	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37700	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37624	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37624	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37624	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37624	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37740	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37740	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37740	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37740	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37780	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37780	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37780	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37780	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37884	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37884	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37884	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37884	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37804	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37804	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37804	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 37804	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36080	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36080	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36080	35952	cmd.exe	vssadmin.exe
PID 35952 wrote to memory of 36080	35952	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
"C:\Users\Admin\AppData\Local\Temp\1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:35952
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37212
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37768
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37856
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:36024
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37620
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37700
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37624
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37740
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37780
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37884
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37804
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:36080
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:37868
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:36396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\users\Admin\Desktop\DECRYPT_INFORMATION.html
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:37416
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DECRYPT_INFORMATION.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:37580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:37580 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:37672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:37528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DECRYPT_INFORMATION.html

Filesize
6KB

MD5
027a9b15f2b14f624fa08b09e31c5c73

SHA1
841c408ca0f9819c1d7b61bd37720c113245d886

SHA256
a1f7fa38c79ca996b6e363726b8c8e7713292191d9d5d97b6a32c89cc7fdb805

SHA512
079e9ef53dcfb21be44c1cf7f1bc2327b8e82781b98827847124bcf0245184234467e527e939a7a16fe7f0153dc5e7bc4b25a600689363f12508734cc7b750de

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7f603bed929170f96576b4e2d9988a32_5a410d66-f84f-4a6b-9b29-3982febe58d9[[email protected]].HRM

Filesize
2KB

MD5
4a78fc46fc0619192678f3da77f68e3a

SHA1
3366d203869bdf39f6918af41585559b7ad42d66

SHA256
6d2da9376953fa2416f4c3a73b605a23c51c1b711a95a0523a7d58b7f035b7fd

SHA512
091eea752c9c0dc8d118d30b44aa7744d1d86432b90371a06f85e2de346fb136eeda3c252f4f334747a944ccd6cc7979c97d497c751d613831dcf0bd130c65d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d7ec9bf175a71856aa6a7ab8a84dcc4e

SHA1
58db8505d8061d29e62df18637df7c3d00ff12a0

SHA256
258bdf5b3abeb39d1d45de283f3fcbe229c2fefa1691fd739f7259efa49b222d

SHA512
348dc841a2b2d8e33e37df3aa981efaaaf2be6c1d4d4e2459058191241b5aa853388bcf8b2823db2b6f72599f6c7ac01ceea0ec394e329f48e13bb093b5424e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fca457294647444130d348cfe3c050e9

SHA1
3118129cc34d11f434751319e4faca7da1b7bb7e

SHA256
bd880b999194cc37cde9be10f2ce111262f356d46ba9c457e9833c4d61a5d768

SHA512
16b591a43e532ecc2609a29c65f83d3a385346e24131884540b84f88dd64d9c18190ee99cf4c8e2da5db85b1cd7d1878cf97512b13a2ab464d9ead1a2deaaad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e36276be5de348bc42d9a60fc0ce93b6

SHA1
3d8f00cf69a28cadd4a0dc381cbf2835fe494462

SHA256
6cd9465333306daf22718f84e57cda6bc456ca00269cf7b1538657b0ccecd842

SHA512
3145e3ea3d4292d99799bd0f83febc651ff1fd08219d21ef45e391f529b394d7364f594d4344cfe00f4dea62250216074d185c83efa8a3743591fa3f25ae24ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
981a6a6da0f0b083dcda64b561ae4f76

SHA1
0587cc2328aaec3335b8d73ce1402fb3fc6733f6

SHA256
0a20bd889876135870d79af75f4d294b03bf06a22868be1b0b37c9684c8f3c0f

SHA512
62e4426150b874b5d78c68e1fcffe5849c6df8697f160fc8258166cc53fbf2e110e284ac0626da1a52a1353848f3682dd6052e3ff8090556d46367df1f66c641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8495211851ad7b198ded047edf4ccfd

SHA1
0dbbf7ade84c3f6b6d22f40ac8d8aeff354f8005

SHA256
a814c52eead901106b03cdee621fe8f410a698efa22be32f768e233c43982c0a

SHA512
3056767ff43b3f6b0b189ce17b8e5594149b76296a5a1656844298bbb411343d8021d556f18b7a9d6ab49ec60c3b813660d36147a4b585533ec2c47227868dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f975b2b33060fd2eeb59e87789cbf5

SHA1
e7157549e9e09fc38235b0c116a40ba13ccbf8f6

SHA256
05878b595ddf42ab3d3b7b8805ea2853a9e25ea944b96ec6cbc5ee49f43b665f

SHA512
ae3d049764e66a384f2e0d1be8373890c7c509fb118414439bff8882465257df973181c0b30792cb8797d1ba447549ebd7660225252384302e45a6bea7cbed9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f9766e84655f836079f85e78a6dc779

SHA1
3ecb7e87a945ca37f66ee2c6a50d8d4f8d7f70ff

SHA256
1858cafdd5c99dc0483e3bb569a89f492143098466d1eaf06455ef3a0701ef32

SHA512
84307010b1b51ac58780adc6a0c66f7c59e849131e9dc99bb02163cf818668da1ab4740f9aa89159aa2f46487e0da7ffd18d61d62b165ff9e6f65fe8fd7476c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5210f409778b803f8a248d4e26688f37

SHA1
6a9e8eefb720e486bb97380e29027542aea7942a

SHA256
bd389e008eb4830e05491dcd560b65882f81622ac28a329ba904466dda152f3d

SHA512
e86ad0c72e88ed2d7baa08733a463646edf737a95094938600627e7d69488d49d089ef8e609257a519ec8a94853ab83603e9466e89b6f8761f8b52426df580ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c54978b28d5e405a22daa910b0aa968

SHA1
a9effbf279be784e50ff8e67352034a395048960

SHA256
70933facd36cbb5918158ac14d626edf9eda1cf4d36cc8b5cb14528d56fbf9c7

SHA512
ac54d818b025d2c773a6f8e4d804dbbddf056c8fb85a4608c2e7b6e0dc6f13da6f4cb59703d36930e0b4d4c73a9decfb97ca8a36ab5e1a96bce07a03b483a09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fefe1db839595045a814b615e557da02

SHA1
777aa67478fa395e4db51098597916ea9e68e3d4

SHA256
6510e034cf6b0be357c6598e96fdc2156dc1aa2279a94d5912bb2914f756ae7a

SHA512
a8baee23ec3ec7f5c18c013b95d88e25d83b2d23a0a8eb611d3507070a585f5b8042f731702a618c0fb9e3859ee2cd1085efa5d44ce4659d40ce4b0bf75f0b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
594c7ce0956adfc6e9abcd7e310963d8

SHA1
b98082da4a6df0da21ac136736f0a7566a6c0fa0

SHA256
05154b7229fb0fb732c48a938e27832ee622ad91bbb979abab157c134626f7be

SHA512
aed4e26f208c290d53db8610fc3f5a9b89b4fd9e8dc2e4f689d68f6b732c2ac488a0d18c520727b497532e71072a410c6f3d7ed9c744eb6779d0592488f87c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7371.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\Documents\BackupConvertTo.potm[[email protected]].HRM

Filesize
405KB

MD5
2dbd8834a3c0a8976629a5e52cd010dd

SHA1
386c8313e67d8c59c4b7022f276c441020d775ec

SHA256
1b77c73e4d01ab1aa181f1622b45a08e8e86c64694f3d8e14c62b1008de7ff85

SHA512
990b2758c1c8149d159b88ffd4e588b77e0b0297ddc6184bf19e17bf3c523bd7ec22853a0b71986ef2721b568c0b6cb28d521e957b2e86eb2c2905d9eb2e719e

Download Submit
\??\c:\Users\Admin\Documents\BackupPush.dotm[[email protected]].HRM

Filesize
476KB

MD5
e489d659c5b6204cb8289c199929a1e7

SHA1
228ba58f041a90550acd6a0fd1c9cfacc321af40

SHA256
43bff5b218d2a561a65536ab1be5349e8e5c0695e38d62e6df4f129674ea69a2

SHA512
ff10c340e7263c9b97b1ed96ce98bc8dcd881d855c89ad3f5d5f20d0fd5590069012a11f0b1eb94d20dda64715ecf1e934e70529c4a60ffb56a23fdd5ca61cba

Download Submit
\??\c:\Users\Admin\Downloads\BackupMove.odt[[email protected]].HRM

Filesize
832KB

MD5
d3fe6d373c4f101d5841f0da6ff183a2

SHA1
aff14157d1cfe2de47707d880feb41fa73121a07

SHA256
4b15eafa45949f7bfd731f4a9bea841548c0efa5fcc8ccb747bae73a559d11b0

SHA512
4e7887cc5241f0100589852d41bb531acc359d1e298da521ecba40b79750721b75e3c1104982c0c78cb70a7205cf6a8b718c72a89b24477c0208a1b05d315625

Download Submit
memory/2292-8476-0x0000000073460000-0x000000007386F000-memory.dmp

Filesize
4.1MB

Download
memory/2292-8475-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2292-3808-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2292-2-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2292-14677-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2292-2730-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2292-19309-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download
memory/2292-3-0x0000000000400000-0x000000000077B000-memory.dmp

Filesize
3.5MB

Download