17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
359s
max time network
361s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Size

111KB
MD5

2ce82b2c3e43a6090685bf7e3ec36d0f
SHA1

112a99938d60abd821e345538b0b1446cd9113a5
SHA256

d4410c277e4120169a546d613d06b6f1ca1c09ea94494baeb0af796bfaefeefa
SHA512

9f0fc8a81da4977d683e4051169b5ca0f3fcd592a6946da8a4da962c2519c1fd0044baa0c950332334d9bb6e56a43aceb174bd18166cd183921d5d4213c01ece
SSDEEP

1536:Nynce2jUA5AaPcHbh7g9WKBvwAYbwdlR3zkWOSgiC81rZ8R9YgAic2i:RrjxwHbhgNwAp/R7pgi7rWv

Score

9^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops file in Drivers directory 3 IoCs

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69srkdAG47tGigR4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe\" /SkipReg"	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

Drops file in System32 directory 64 IoCs

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_modules.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\netk57a.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\netl1e64.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.exp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\prnky307.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\mdmke.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_data_sections.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\mdmnis3t.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\prnbr005.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\Add_a_device_or_computer_to_a_network_usb.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.cfg	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsuprv.inf_amd64_neutral_31d10a1a73b4feaa\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\prngt002.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\LogFiles\AIT\AitEventLog.etl.005	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.exp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\mdmgl003.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\mdmsmart.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

Drops file in Program Files directory 64 IoCs

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\GetExpand.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

Drops file in Windows directory 64 IoCs

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

description	ioc	process
File opened for modification	C:\Windows\inf\netbvbda.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\image2.gif	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24090ddf20410f44\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bd4d20299386f90e\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76b445ae591253e2\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\avmx64c.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\mdmbr008.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationUp_ButtonGraphic.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Hardware Fail.wav	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_join.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_2c8a1d1c5da2edf8\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_notes-txt-background.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_67246ac68055bec8\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_98af26a5072718fa\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\mdmbsb.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c985fbedc9886bd1\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationLeft_SelectionSubpicture.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\square.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\23.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ec2a8bc0ed056604\OOBE_HELP_Change_Computer_Name.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5d0f22c9e44cb6ed\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\img28.jpg	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp6.jpg	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_methods.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_6f6cca095bde05bb\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\wialx005.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\navSubpicture.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_job_details.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_objects.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_2.0.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_66b0580ce2717717\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\item_hover_docked.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\5.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_methods.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 06.wma	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_History.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\45.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_History.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WS-Management_Cmdlets.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d34b7c772c3fe85c\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d2c0ff1e722cb495\license.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Exclamation.wav	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_escape_characters.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\mdmcdp.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\mdmmct.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\inf\ql40xx.PNF	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Automatic_Variables.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1e4d6c8ff7baeac6\readme_liesmich_encryptor_raas.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\OOBE_HELP_What_is_HomeGroup.rtf	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Balloon.wav	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_pipelines.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_properties.help.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.exeIEXPLORE.EXEencryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2356 vssadmin.exe

pid	process
2356	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70427c9ce83cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD4DF3F1-A8DB-11EF-80CF-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438446561"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fabede692f1078d982771425538199acac6cd5298d2fcd15234379589b90e401000000000e8000000002000020000000fe901a83de7b3cf7c49cb6b4d1287fa83463d40fc968f1a212ac5aa2ed78432520000000225c48793f07b1f10a8f1bebcd32468073c4a5cf5ba7f5e2daf7fa03af4f7886400000003ec76856395dbb58f7a96acf17b85e295c5009450e74bf0479b46867a5fa09a3ec4d1d086db7174f4f39354a00ef40471567998848570a328f99da4b05b1ac25	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a88339490afc8387e9220c9fb3320c82867a78d8685261b1c55296c4c0a48d06000000000e8000000002000020000000b8b24e347ba8a6ad3fcbd0404beb4404c51edbb65f094d4f36d4be847bd7906d9000000087905d2513c42c6925ecbb1df1aed86a2c0cfc77d710cfda0765bb9735cdd6a7c9fcc40cc191ebea197a598df22b8b54499aeaa943b3d6a5be29a5c0dfb07a2d012472f2497afd2e7686931dd3ed53f4b32afc0a62971401002a7f15c71d384fa6081182b31077a30378c111604a6560c5f64e5dced9df371ad21f8eb68e866ccecabec0f9eb3cdf47533a3e790086e5400000006c6d5736b3cdb3db42ccf975f6b34b33f25e81730f977165eb8768eec71744199d405d0ec830b7a7b2bbb37dd28bedbd247c9cb47d4574212a24b755a59b0902	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2260 vssvc.exe
Token: SeRestorePrivilege 2260 vssvc.exe
Token: SeAuditPrivilege 2260 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2668 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2668 iexplore.exe
2668 iexplore.exe
396 IEXPLORE.EXE
396 IEXPLORE.EXE

description	pid	process
Token: SeBackupPrivilege	2260	vssvc.exe
Token: SeRestorePrivilege	2260	vssvc.exe
Token: SeAuditPrivilege	2260	vssvc.exe

pid	process
2668	iexplore.exe

pid	process
2668	iexplore.exe
2668	iexplore.exe
396	IEXPLORE.EXE
396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.execmd.exeiexplore.exe

description	pid	process	target process
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2608	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	cmd.exe
PID 2316 wrote to memory of 2668	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	iexplore.exe
PID 2316 wrote to memory of 2668	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	iexplore.exe
PID 2316 wrote to memory of 2668	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	iexplore.exe
PID 2316 wrote to memory of 2668	2316	encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe	iexplore.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 2356	2608	cmd.exe	vssadmin.exe
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE
PID 2668 wrote to memory of 396	2668	iexplore.exe	IEXPLORE.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
"C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /Quiet /All
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://kqd2eml2kjib53oe.onion.link/vict?cust=9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581&guid=bf99bef1-312f-4726-8597-70228ef05e99
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ink\readme_liesmich_encryptor_raas.txt

Filesize
821B

MD5
e05a483e9a949fcda524cb8b4ab8ba36

SHA1
398774b20f4b26c51088d552dcceeaea55302be0

SHA256
f07bdef5a164e4484c0a3d9315bf94792503543877863ea0e57e955f9d9dae9d

SHA512
d52bde031c3f7926afe042c85596246789b5817fde835f6309c5b5874477b109cd4d976209c28d469285a2b99b6ae5a0e4a3d6dc7ef2eee69e7dd1a579458368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
722d8f52a4f387cffee97f9b2160b05b

SHA1
f189a57167e9e526f1619b71f7cb77a730b3ee2c

SHA256
0cf31829390341fb0704d4a74c47c7ed47c3ed9e32045198644339670121481f

SHA512
9ffeeb065e46817e3571c7a3f1828f4a3decae320bf68ce7d8a81888c2709244a6092571edcda6e160dca57566f953adf757280914c63fb56f0f203287522f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fc1ae52fbbb2c8c363f8d98ef668647

SHA1
650cfe49244ef95b44c6ae698d229a263e339dd5

SHA256
ee471558df686d0a06ea8c7be012d16232d138e7ca02943c7b4b0c86ad94b61f

SHA512
3a020d17b21e182a121ad141768b4961df096824da860749ed908a005e8d0e88f3b308bf0cf45b521cf846a263d45553b539d20d144b0b0d88eab834841e2edd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9bb4e1022c6fab16712f6fa74b50cca

SHA1
161f9f2f8f3c02ab0ded0578e753c3cff697a501

SHA256
ceca9d7d481cbd7120f5f950d94e93a2c62f584b86fdaf0b30fdd5266b1e49b1

SHA512
b4c34097773507ef2c1748dc30bc34fd4f88b2ab5cd5eabef035f30efad20425ec5e4a1f6c79ac1a9d84c8a7f0e978e214c96a5064d4291a2b618a4076043092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f69932549e545781bd413734ad00274a

SHA1
cd118e066b5e670543775521c8eded8bd4492ee8

SHA256
ba21c33595f78922828ddb7af0dd05a201641a78b8d6a8e9e1bd4f6dc8c741b0

SHA512
a3e0b7f8899374a018ae6a3b770d70c1f360dd31342bb1fc9208e1845fd47eca55666e16a0472d91935afca2b050fa5ffaa25832319681e0c364087a3a56fbc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7ff920e2974c03510e1c981e82e6a44

SHA1
27385d20adf2648d5a25d450cca5f25e956ab51e

SHA256
f24d861298a887b29221de776b2fc8528e8fcbfa05615619035d8df861c29bd9

SHA512
2f7b4eac34143035cca48ade0eded400d2d652f9f7514eadae7aacda2fb48d5ff278fe3d5991b8053d71040e25c9a188d3181825e31edf6faa5e972c375e6d36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5db9f6e33202891d538aa1a6f13319a2

SHA1
8d76049503f9e665f0c2fc261af1cd0b1d74386d

SHA256
e1ff9df5fdc2cc5bfffc19c567a4a213adb8c7380cbb3b329c9434ea06c012d8

SHA512
2c395a21039af442672f4cb797506f9ac3799aafca8d159c961fcd08f6987eb7993553e4a288fa282cd1df5ce3109576cd101fc8185c1cc9d665cb3c27dbaa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
470f737a652430a6b499b4aa1a2bcd5b

SHA1
fd85578f0c3b7bab81f28c462287fdccba1d7c48

SHA256
db273bf642c98eb0f549bc7921db0a1a0ce465328c6a86166f022d55c3dfab51

SHA512
b50948ab52e084f3e45286700d396cc45d86f27e026c4ad93de75d864bd98d9ff60ac4d1b3210dec2d9f3ccfb79be38cf2954aba41bdc90d732881a4ca604233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6263f9671e5146a1225d0fcb6d0c116

SHA1
3ca9f2d3a715f88ee2012595ae4b2a7ce20d6017

SHA256
91ff2a1ad88644c39c095c8bbbb590926bb3ba61ccf3b09b77a5ab4af8a99d6d

SHA512
bcc2457f2af69911ff22727779ca3d02e1995d57be6b648f1e527c56e59bb983628a827548345263da94588f863372d3eb785445f2f80ab6564e66757b78676e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bfe5ef9cb9b115683ed54e7b697be95

SHA1
41b3a4ac5e2ff6547d672d910c002286182372ac

SHA256
ed9e20a48dad20c11b5eb4d9d7f9e9e92dabddb7e188862632eb9b71de1cdd9e

SHA512
da483262952c4e9d35127403c789d7b85bf1ae86647e8d13d60d35e6949b69fef75f64671cab1e5a33f1d26390660326917371429d5bfaf217cccbbffd6375f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77d1b6ab9dce7d443094cc749fee6f97

SHA1
e5f1880a8f466c195d196ffcba9d00011f1b60e7

SHA256
d8dff5350b9e67b3e52da6304d6fe554ebf6bc64a3d2c25e2bceb1160b2d8bed

SHA512
d63411252f9352bab679923a3b2011db31ce5986e7493f171ed0a4d9df9d650c440558d988fe51dd1e2aa45e147f063cc4099659ec7620749cccd5ffdb3ebe64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e32e99ae25948d82cdcd10ab15569df

SHA1
7b96e8efc1a454df23d043ec20845e2cff8abadc

SHA256
4533ef6c0cc26448652639ab8ad49f4b4498f99ae4eeba454d164a5374aa074f

SHA512
d5a246fb1e1eea70bac98c01ce69a2027281a1808e07899612697f08f3d5473133dad065fb6d1cf0f78d7e8347167bef5c0fc0754b7b9355b988b1a7411815b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92bf9d0b6bca10cf752525ef93d8d87c

SHA1
00aacb366be444ee497f0a9210eeed94451f5c63

SHA256
9fa877b733ba1a902d4506a3c24e41cab643e52a3f6092376326ced353b084c2

SHA512
27251121954342b9ef57c72c3f15f555a24261948fbed343e168d7e0a7af3c3c51ffb1510b782c4634daf13353daa2e44df1e97ad2f83e894d5704db1666f50a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ca4f35a4712ac405bafe29808643639

SHA1
550515683e94a438bb6ea20250f0e16ad863634d

SHA256
c474fb59c5839b0cdb4b68bfded7be5593c8b99f7aca6590b719d58d61077b98

SHA512
040c1227e59607ee6c840f9e2e72b55414175b20adf5b3224a52241fd4c75e573cf5c8d713ecfff58ea97edef4f2a4399a923e3a3c7d0199e109e1b4d654b773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56f883c112e675626203815b82c6218a

SHA1
433764258ae1f57bc19029c6b790f7316b19901f

SHA256
a012619a1675a072145ad30714990a2b60910e4a2a6aedfc1240ac4f1dbb8490

SHA512
1952b191e5eff3246d7761ac91f5c00d1ab97243629b3e7c558508a7cd0d0ea9b9f74fc95b08ce5a308b3d0c0e964762ce899e2b58e8463e4dbb7cfc43e18a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ac274f84763e4dfc8b703a4eb92f441

SHA1
07f62a694c54e8b58db4b1c2821b20894867ed13

SHA256
5a73d962e4af6e847b0502c5e1d64f7e22e44daa9f5becbe8512e3a56ed6ac6a

SHA512
4c5b8260a2c1ba0a200137f88f7305ef65d22cf3c8094d1191484deb6562f702a498942e2487446d0a8d298afc76515638e019420d66e2479990e9b0ba4c6a0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06ef914198d488c0bcbabc0fa4e583a1

SHA1
e4356386f1cd0ad51d63d33ef542ab3d0649183f

SHA256
386ba1cd756f1ea15e922eafe942ce8f7a7ac97029e5383b52f6c7443a30be18

SHA512
a020c2efefb1ba69dc83011dc21792dbbd8d34b64bb71ed2eae8b3e3506823b82223594d9ae1ab54ef6527671257a0df65206892cca0cf77d0d38ce73727e809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab6d5d0bf6ca4de7dc7a682658c85235

SHA1
9e9eb41b09fd7d94812329bccbc2f04f48335d56

SHA256
5e2f0983036eb515f7d746c73e72c076f6172adfcf9966f88f9a22c77d93f045

SHA512
4845f055cf76f801f9fc6d5eb09367b039779b0038745b9308ebf929b318d8816b8b23093857ae1b311af104a07b511ddefa5f6e5e2a8a8652ee384b0f3b3628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d052f68eb2ab3ca932377e0e72252ca

SHA1
5cdb94ac70b777270b56babfd5614e419d701904

SHA256
5ad6018e97eda29eaa6c4299ace648baa1b1084039dc5a44a5acde2de781145f

SHA512
b01b49389601d5e3094d5b9d40d7d2753e9d9bf2fd18f548c66d86dbdb0223a2ce5d7e4f6159a88ba1cd89de4ce1e42ceb2a9c2db23dcd7341360f6298c84536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16c5e5ab90e4981c78b4aa148e4fa770

SHA1
813fd4d48d7a18003f822fd4b623ae9d6c7b9c67

SHA256
e396507ae838844433c0ef57a962df27ecedd3730695830013784acf689422d0

SHA512
8aacc92db3118d4963d7a6859cda7ffd8a3ad7fc754e0c6619171cf365927c4f3b9db8a2ecf1d774a44cc8bf37fc7319fa602f44225b73b82a94b5db6af28fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA92.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2316-3993-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-958-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-2803-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-4367-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-4599-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download