teslacrypt | 0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43

Analysis

max time kernel
138s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
Size

340KB
MD5

6cd9b22cd6b3ac432bf8690eba4d5348
SHA1

c4983823c3e53ce2eed20939b7c2b2e098fff7b9
SHA256

0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43
SHA512

9227b3543c6a79d714bc81a5b16b55a7ec63e4691f31d6fb68416ad2c3473a97ef827189eea10d7d05ec7bb4b957cf3ad677aecbc1e654ddcc9e90be5f2cabce
SSDEEP

6144:0WFLFLkNpvlmNCp27PoWZRwwXvFw0OH2paKZwE+VcF3GCF9IyjVLe:0Wnkbvlm3FeHdKZICF3nb1j

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nqmlh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8616E713519132C2 2. http://tes543berda73i48fsdfsd.keratadze.at/8616E713519132C2 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8616E713519132C2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8616E713519132C2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8616E713519132C2 http://tes543berda73i48fsdfsd.keratadze.at/8616E713519132C2 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8616E713519132C2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8616E713519132C2

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8616E713519132C2

http://tes543berda73i48fsdfsd.keratadze.at/8616E713519132C2

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8616E713519132C2

http://xlowfznrg4wf7dli.ONION/8616E713519132C2

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (396) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2372	cmd.exe

Drops startup file 3 IoCs

Processes:

gnyfkhxjdltb.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+nqmlh.html	gnyfkhxjdltb.exe

Executes dropped EXE 1 IoCs

Processes:

gnyfkhxjdltb.exe

pid	Process
2844	gnyfkhxjdltb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gnyfkhxjdltb.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttokwwcmjmpp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gnyfkhxjdltb.exe\""	gnyfkhxjdltb.exe

Drops file in Program Files directory 64 IoCs

Processes:

gnyfkhxjdltb.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Microsoft Games\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Reference Assemblies\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\Recovery+nqmlh.html	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\Recovery+nqmlh.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\Recovery+nqmlh.txt	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	gnyfkhxjdltb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\Recovery+nqmlh.html	gnyfkhxjdltb.exe

Drops file in Windows directory 2 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\gnyfkhxjdltb.exe	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
File opened for modification	C:\Windows\gnyfkhxjdltb.exe	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b22cc69da83f94bb28225484ba2f634000000000200000000001066000000010000200000008aa16485b3deb3620c2c5995376899192b2fd62f058b75520066eff758d67ad3000000000e8000000002000020000000b65b3a4539fdfe4cd1ef310632ea0529dd7a2f0fe462a53871c7387368f43d1b20000000885a704a3c0eb664ebc85ef422b6dcfd66969f171643dd72e9f5fd629fc70b1c400000000854542ff99bb6ad9768001e0dc61120d06f77196285bc18a4995a19761d916dea9a8b3febb9b7f373564f2d4dd84489aabdb6746bb849a6e82464ffc3a928ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422674218"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3FF0731-1968-11EF-8859-DE62917EBCA6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d1e8a875adda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b22cc69da83f94bb28225484ba2f63400000000020000000000106600000001000020000000641d1cdd07dc8e2bb7f646f9e419355e4217e5f6c5f6e12ea4eb9e7c52b58f3b000000000e800000000200002000000019a4738ec829e0338ecdfb8027f4a5c31c9cabbfde664c42bc025988eaf0a47990000000283b38cf0ea2fa213a65bf1764701074acfb59b81bd8a8b1347c3f4d7c45155e8693c17a3b457baf83a8a9325a0fa9ffd7aed3f9e5fb222081927f86eb5c2f6e0fe785830ed929bf0fc7ebe95773daa5b50de70e492084f71dc3ee725b4b694c7328789cacb8a81a16423a99de10daf79592a4666a85b03dfe2e5737d64db58273adacb13cb4d6c3fb2c399f1b47a416400000004edb08e6b8971fd9c76cca7c68dfa619dfd6546785ebf0786712c29145ce048467316e6e64890ef2651f0a2102ede73281f5e00d59952ea1167e75b7bf191bfb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

gnyfkhxjdltb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	gnyfkhxjdltb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gnyfkhxjdltb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gnyfkhxjdltb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gnyfkhxjdltb.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	gnyfkhxjdltb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	gnyfkhxjdltb.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gnyfkhxjdltb.exe

pid	Process
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe
2844	gnyfkhxjdltb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exegnyfkhxjdltb.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
Token: SeDebugPrivilege	2844	gnyfkhxjdltb.exe
Token: SeIncreaseQuotaPrivilege	2628	WMIC.exe
Token: SeSecurityPrivilege	2628	WMIC.exe
Token: SeTakeOwnershipPrivilege	2628	WMIC.exe
Token: SeLoadDriverPrivilege	2628	WMIC.exe
Token: SeSystemProfilePrivilege	2628	WMIC.exe
Token: SeSystemtimePrivilege	2628	WMIC.exe
Token: SeProfSingleProcessPrivilege	2628	WMIC.exe
Token: SeIncBasePriorityPrivilege	2628	WMIC.exe
Token: SeCreatePagefilePrivilege	2628	WMIC.exe
Token: SeBackupPrivilege	2628	WMIC.exe
Token: SeRestorePrivilege	2628	WMIC.exe
Token: SeShutdownPrivilege	2628	WMIC.exe
Token: SeDebugPrivilege	2628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2628	WMIC.exe
Token: SeRemoteShutdownPrivilege	2628	WMIC.exe
Token: SeUndockPrivilege	2628	WMIC.exe
Token: SeManageVolumePrivilege	2628	WMIC.exe
Token: 33	2628	WMIC.exe
Token: 34	2628	WMIC.exe
Token: 35	2628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2628	WMIC.exe
Token: SeSecurityPrivilege	2628	WMIC.exe
Token: SeTakeOwnershipPrivilege	2628	WMIC.exe
Token: SeLoadDriverPrivilege	2628	WMIC.exe
Token: SeSystemProfilePrivilege	2628	WMIC.exe
Token: SeSystemtimePrivilege	2628	WMIC.exe
Token: SeProfSingleProcessPrivilege	2628	WMIC.exe
Token: SeIncBasePriorityPrivilege	2628	WMIC.exe
Token: SeCreatePagefilePrivilege	2628	WMIC.exe
Token: SeBackupPrivilege	2628	WMIC.exe
Token: SeRestorePrivilege	2628	WMIC.exe
Token: SeShutdownPrivilege	2628	WMIC.exe
Token: SeDebugPrivilege	2628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2628	WMIC.exe
Token: SeRemoteShutdownPrivilege	2628	WMIC.exe
Token: SeUndockPrivilege	2628	WMIC.exe
Token: SeManageVolumePrivilege	2628	WMIC.exe
Token: 33	2628	WMIC.exe
Token: 34	2628	WMIC.exe
Token: 35	2628	WMIC.exe
Token: SeBackupPrivilege	2340	vssvc.exe
Token: SeRestorePrivilege	2340	vssvc.exe
Token: SeAuditPrivilege	2340	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
2668	iexplore.exe
1516	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2668	iexplore.exe
2668	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exegnyfkhxjdltb.exeiexplore.exe

description	pid	Process	procid_target
PID 2504 wrote to memory of 2844	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2844	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2844	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2844	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2372	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	29
PID 2504 wrote to memory of 2372	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	29
PID 2504 wrote to memory of 2372	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	29
PID 2504 wrote to memory of 2372	2504	6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe	29
PID 2844 wrote to memory of 2628	2844	gnyfkhxjdltb.exe	31
PID 2844 wrote to memory of 2628	2844	gnyfkhxjdltb.exe	31
PID 2844 wrote to memory of 2628	2844	gnyfkhxjdltb.exe	31
PID 2844 wrote to memory of 2628	2844	gnyfkhxjdltb.exe	31
PID 2844 wrote to memory of 2728	2844	gnyfkhxjdltb.exe	41
PID 2844 wrote to memory of 2728	2844	gnyfkhxjdltb.exe	41
PID 2844 wrote to memory of 2728	2844	gnyfkhxjdltb.exe	41
PID 2844 wrote to memory of 2728	2844	gnyfkhxjdltb.exe	41
PID 2844 wrote to memory of 2668	2844	gnyfkhxjdltb.exe	42
PID 2844 wrote to memory of 2668	2844	gnyfkhxjdltb.exe	42
PID 2844 wrote to memory of 2668	2844	gnyfkhxjdltb.exe	42
PID 2844 wrote to memory of 2668	2844	gnyfkhxjdltb.exe	42
PID 2668 wrote to memory of 1208	2668	iexplore.exe	44
PID 2668 wrote to memory of 1208	2668	iexplore.exe	44
PID 2668 wrote to memory of 1208	2668	iexplore.exe	44
PID 2668 wrote to memory of 1208	2668	iexplore.exe	44
PID 2844 wrote to memory of 2000	2844	gnyfkhxjdltb.exe	45
PID 2844 wrote to memory of 2000	2844	gnyfkhxjdltb.exe	45
PID 2844 wrote to memory of 2000	2844	gnyfkhxjdltb.exe	45
PID 2844 wrote to memory of 2000	2844	gnyfkhxjdltb.exe	45
PID 2844 wrote to memory of 1804	2844	gnyfkhxjdltb.exe	48
PID 2844 wrote to memory of 1804	2844	gnyfkhxjdltb.exe	48
PID 2844 wrote to memory of 1804	2844	gnyfkhxjdltb.exe	48
PID 2844 wrote to memory of 1804	2844	gnyfkhxjdltb.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gnyfkhxjdltb.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gnyfkhxjdltb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gnyfkhxjdltb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cd9b22cd6b3ac432bf8690eba4d5348_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\gnyfkhxjdltb.exe
  C:\Windows\gnyfkhxjdltb.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2844
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1208
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GNYFKH~1.EXE
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6CD9B2~1.EXE
  2⤵
  - Deletes itself
  PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nqmlh.html

Filesize
11KB

MD5
c81ca4ecdbd2e353e13eeca6f7188885

SHA1
d16883315e028cf0cdd7275851161d8453087b0e

SHA256
b5363d06672dcad5ff743768ff0f57d8baca255a59cbe9ffff338db5eae01399

SHA512
b105b7759dd98b171b9e331a0f8918cf14465fe078b79609031cef7396df89fbc2e51ef62f98252b7163a67f8641b72c8649d9fd62c30c8fa014bef93e848a0f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nqmlh.png

Filesize
63KB

MD5
e589d62a04a7cf4806bc697f29349440

SHA1
d54a05e1b41f029b8b4a507bfa6fd1ccf8f40197

SHA256
3d49f73ceae5d5cbf3f61e85c9aaa3a04a9c35b1a68b56449d5b11e517692d14

SHA512
271869df6612a4fe97de869b875bb493c6fe1c728dedc5d9d97234548d6cb70db71ec79462218653f9922f9e2ee8487d800aed9500445612ca23e8e30c1931fd

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+nqmlh.txt

Filesize
1KB

MD5
cf47706543a84673ca221d43f3796d6c

SHA1
7f7226ad8b5db46cdec59bc42f6c17e087ce25c9

SHA256
ae893f90bd9ca39715fbce0e6f14c7230956d681846ebf8d4f901578b51e014e

SHA512
bd67860874d37157a20b7b45764c455087a584546bf94f41e8e184597057347e9e9729c6dc82ad78844ad22e1d888c032283cfda599a3701aded3b4ecd16ba15

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3d8651d0837062c5949aa54ddd7e21d8

SHA1
04f7453b7a6cca36ae8e9b54b662dd6b92277335

SHA256
2701f11b94154f66d00aed360d1b4dccd6cc23cac399e77eea50419b94160c2e

SHA512
01d5f5f041f1fcedd113a3fffa265867ea3098eada8b8cfdb10db494989e90cdd69e8761cd1ce5cb8fcf2900e3df4a48f9654dad522219e66b1adbac28490eac

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
46de53f52ac28d9e087b9daf98340e1b

SHA1
06f887e68da6e9fbb8ee54e5d088b7d08dc2495b

SHA256
764a315a1a1be0cdc8d6830bb75ab86cd747ff9162564341fdb88787c6769b18

SHA512
936523ff98f1fbb658f9383ffa387a64531cb7b65ffdcd161df80fc7e89c2ab4d3735fbb636d541760a94797ec4a00a7ed4a40423780aa25b7d6b22c6c2c804c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
2228bf4725e82906167f966d3d091bb9

SHA1
66d50d3b840bf42b1b1c01022ff0c95040fc5895

SHA256
67e05edbe436e3b33c7cd7988b3c448d6e1fc949895ca3e6812a3430b1acb568

SHA512
131efeb1db02292ee42083573d026c02efa192123f9554db5cda147e97e62c46030d4eff3e8223b9142726f7e1383171c2833d59f34e158146ec51898bea43b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c15cf75b5f88e7cd27fbad53207a18cf

SHA1
a2801bd579e97c87fe1681942db334ca4a509994

SHA256
7829f2b89aac5f7d42069ce1167e74cb56bb711e3f9997d82af942741a6a6b31

SHA512
4e2181cb69f32d4e2a37da33681d27d9298cefaeef603708cba8b3703402d9f82ccd4fc68b129cdc2ea23a4028988d211f42e275b278dd2f8172d2052d44d046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b1bdb3bf8089694bbf6c147186b6f97

SHA1
7eda7d90e866d71f9b0d85960d1f70965ca7d383

SHA256
f0a282f61f0f0afe9d25051e8dee7bc79d32fb01c967fd5a78833b1cc3e6fb26

SHA512
9eb808aa492a85d2355a9f6326de14a181890f0a7363313f092fe7289e06b018ac2edd78a0d2a416791531f39ad8d219aa81f78b570a5410ce4589510e43a23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76cb44b4f60cd54c94869abb3345230d

SHA1
3092fc6aa4f830a5e2619611b4ca36665cdfb3a3

SHA256
c1cec55d9d4e9f86ef4eae501696f533cd6585e3fe30e0eb31d9bb8558905d78

SHA512
b8fff40c57ed1292babd5cfe5778a4b120751b47fe4b790a06c17809d2a6bd9d549ac68f45472650a6e49b250696ec1d46769995a45aa13e488e26e48cef102a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
165afa24d51149a3ec14f79d1dee0dae

SHA1
8c87e3e2863ee5e5a6a72c68022c048d2a9296db

SHA256
72b00bd19f1d53965bf81eaa4e6167cbc6d79c8619f123bb8605d71f6719bfc6

SHA512
e775de1d878bd616bea676e265412bf348a11a3913a7cb566f8989a65f1898ef7af611def5f9adf65d1a0271c53ebe9cfe468e7f9d43c720b3a4ddd274102adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2679c8c6b4b78d7c9e5de93b83131518

SHA1
90a26874a56b77dc56fa15a2c139c7358ed2c553

SHA256
a5fc673fc547e8eb870b75d38e62d867f2b69cd06a98c8860f088331a5d4185a

SHA512
fdfe8bd5925831ba2e7dc7cf53cc583701fd425db505cb9a4b0f5cae0b64afaf6e398928ca0565649a849a5d3681c5260384ada47320c826ded1c37e25e9898a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
831df779cd272e27a0d5bac1f3c2ad7d

SHA1
4423232a861e7c106196e10702b581ffea28f848

SHA256
eb3283bd97d95b1aab205c642f1096c73d35f75a58972048647a5c5b36d83e1e

SHA512
3b1c6bf6ec888b73850162d9c241e7b60da40c0e5e32aa33915b6f9a18c9f24b9359967ac1b24d90c232e483cc45d6cb23c2ae94b2d896599cdcd5195b9b8289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5baaa572d07516fa60d3d008186b40f9

SHA1
1e14938671b30bf22abc8f9e6cce6e0852d6d7da

SHA256
5b14ad9ec27dcc1490330e31107897aa62b17bbfe575f623f6beb406eebb8223

SHA512
a72363f533151786f2e035733ec7cd4cf59e149c17bbc04507d093798def175768d54fac095a3572201099e617973b1cdc70b583d639160516c5a2ba6c7ad4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb91a4162784eb012144b8e6bfe81de0

SHA1
5639f5b60a59f903f7ddde1ffa6552b7a09ed621

SHA256
9725db8b5e119ad5b7a91c60c9db601614f9a5565db36f497026215068139628

SHA512
ce0dbce0ad2bf1e81922b2f3aad41706a1b7786be96fdfea02c891b8c25146391f722971492c8893874e06f0d6b0485a566828fe3458d9a7f64a197901ec6efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
664fa5c51ad6b15ab74820ddfb850cf1

SHA1
5b0a8737c3553fecb0e456456db7ebf8f49c76f4

SHA256
233a6fa23a94a4f53c8bcf3c5c90391124d9c5f9758c07269e3e70c12fe921ea

SHA512
f4a2fe877640a32a2899760da4e4098544ed42fd23e8675a481f6c6463ce559ebc310277e06129b8f7362881f59be9dac03ea5d6436bb2afb18a8f3ff988cf59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f49a842d2a17c0e7e5e3039880bc66bf

SHA1
a0e5e7594e5512e780f3e634af02d6acd9d2797f

SHA256
6b9fc1a12e06d8a4a7824801d074f1e8de8b340143bca17af384ab8cab5e0c2e

SHA512
9717ce0a637b13357901ae48d5f74b4420edeaaf0f1ce49186afb0137ec475ea4c22c182b53707cea83d78faafc16bd9537277dc209c5e3b8b9e47fe0f8f5f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a16643d62e8d09bb8e3be2ba0aaefee8

SHA1
b52199f359c062fb8f566f2bf5827c48eb262adc

SHA256
6831cdef33da4b3bb494eee385bf55348cd169e95c9e6105b469f700585cd8ff

SHA512
0032981a45c05734941b3dce680888ab5fe2863c60215a6fdd754e3c33549ea1159a5ae60b2af3de1cd20e7148d3e292915b06d1f4e6b03e208b1ec1ced46804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6be470629e09cf82f893b7ef070520d5

SHA1
27e61ab6bea832affe82a03dc0d925142bf16aa9

SHA256
93b94d62b9c0659062f146819119055689f84a35b5e3016de70c5c59ca4e2dfb

SHA512
b80b172cede3482c7ccc2b499cea1f949be016ac6c7ce61904d6d052fdf8ff77fb497b22fab45770b26f6961bb8ce61b3d25d3899a67279da39fe3d14bfd035d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33043b04aa95512df56dcf657038800e

SHA1
0c066e531e093bc1cd964d47255343a30b19ea5f

SHA256
00803bb15b5a895bbfe5c3ec7636923d37fbfdd529d0fa42792e8c15932b2ec7

SHA512
c886f116778424269daf951bed40dab724f123671d02c049340a1efb90473298f0f0b3dc3ad55c1922109583be1dfdd8d2af88bb37ba0a13cec0dd1c297a5942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90195294d40ffaff07d1273c34ef3243

SHA1
24078165b9427128110c7b0f448052d86f811dfb

SHA256
b09dc5f1ceb1a85463a37462cefc0e92bd21073b8b4c05e1fbcee2034727899f

SHA512
52f1c3b9f1ea39171d774058c90f2a42c63bcc2ea7a3780d40c2a85404dd28477893a5e6f075d6aa43b60398cf0becafbcc94cd7db7e5485fb763ec685fb7baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be39a1cc1a0520f70f67fd49c1efb750

SHA1
3a34dabdd614a314d5f645f509dd947249105fb6

SHA256
2cfaba7913fbce3afad31e83e828a7ddbfa7b309ebf5540df562160968d9e86a

SHA512
fdd1d57800a8bf4de7435a6de64074266bafd8dca6cd621fed9c92d042ac6424f0a580b49ff636f13ee6d15e860ca19ceea44000a7c2082af7a389dbc5d5cd37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
995184b7493a6bde3166b1ef1953ac48

SHA1
84ec56c1d645afc17c9e80157a49e5d57bfb5892

SHA256
701fa2836e5ddf1c96e6c92e730206dee4ca1948a2e894ef1a4987cc579fff9b

SHA512
52f136db4cdd4e08b3300b96a5fc7d56660e4b3d2d669fa5cf97bfa80fc349edb4b5002cca791016a7370668a3ff4bdbf794f52083f366b4d3ecbffcda5a87f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
969039c8248ef939a251b60f28311de9

SHA1
280311de1296f82f0cfc5949a5aa4250a8534d23

SHA256
41d7974eebf5539abf60e10e5b8d30bd4a478370ffc2100949c9533b0379e19e

SHA512
12d84d1ff8953a82af5446bfb79e571416c54818ac79292e7a5573ca11470d912f5058ff8237989bb31d3e215fba17005d4c6b261496242edca5c30a67afb88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB12D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\gnyfkhxjdltb.exe

Filesize
340KB

MD5
6cd9b22cd6b3ac432bf8690eba4d5348

SHA1
c4983823c3e53ce2eed20939b7c2b2e098fff7b9

SHA256
0c3627d59f3087a2b3a83b4446eb4446b662c2351f52db9cc0729dda9bcdee43

SHA512
9227b3543c6a79d714bc81a5b16b55a7ec63e4691f31d6fb68416ad2c3473a97ef827189eea10d7d05ec7bb4b957cf3ad677aecbc1e654ddcc9e90be5f2cabce

Download Submit
memory/1516-5903-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2504-0-0x0000000001C30000-0x0000000001CB6000-memory.dmp

Filesize
536KB

Download
memory/2504-2-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2504-15-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2504-16-0x0000000001C30000-0x0000000001CB6000-memory.dmp

Filesize
536KB

Download
memory/2844-5358-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-2103-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-886-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-618-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-3171-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-4202-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-5916-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-14-0x00000000002A0000-0x0000000000326000-memory.dmp

Filesize
536KB

Download
memory/2844-5902-0x0000000004050000-0x0000000004052000-memory.dmp

Filesize
8KB

Download
memory/2844-5915-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download