teslacrypt | 0c2640849f10fbbde09768b3a3a9cc2ad3289f319d8bb657aa02b98001715fd0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe
Size

240KB
MD5

6eb348d4120cc4e66457c1149da9b38b
SHA1

d203ece9430ab4a16cbce7911cad11105db9769c
SHA256

0c2640849f10fbbde09768b3a3a9cc2ad3289f319d8bb657aa02b98001715fd0
SHA512

9eec3639cdb4aeeea2f982d15b8d2b037a9a1a627e612e577716570e00edcc3583834ce35e223f29bbc29aa97bf90ba3916dcf2ee0a96cc8268cfe81430c91f5
SSDEEP

3072:p/upbURTi+Urs7V196QkTZALbGW2hjFAm3xD7ygXvrJrJmTInK5h5vypMDvdYeRl:ouQgJ19xFLshRLxPNjJrJvK5byi/Rxzz

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+btjhh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E48A7FF0D7A77249 2. http://tes543berda73i48fsdfsd.keratadze.at/E48A7FF0D7A77249 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E48A7FF0D7A77249 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E48A7FF0D7A77249 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E48A7FF0D7A77249 http://tes543berda73i48fsdfsd.keratadze.at/E48A7FF0D7A77249 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E48A7FF0D7A77249 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E48A7FF0D7A77249

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E48A7FF0D7A77249

http://tes543berda73i48fsdfsd.keratadze.at/E48A7FF0D7A77249

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E48A7FF0D7A77249

http://xlowfznrg4wf7dli.ONION/E48A7FF0D7A77249

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+btjhh.html	rivmolkcfbru.exe

Executes dropped EXE 1 IoCs

pid	Process
1208	rivmolkcfbru.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\cgmxrnlxbsxk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\rivmolkcfbru.exe\""	rivmolkcfbru.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jre7\bin\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css	rivmolkcfbru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\Recovery+btjhh.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\Recovery+btjhh.png	rivmolkcfbru.exe
File opened for modification	C:\Program Files\Microsoft Office\Recovery+btjhh.html	rivmolkcfbru.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\Recovery+btjhh.html	rivmolkcfbru.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rivmolkcfbru.exe	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe
File opened for modification	C:\Windows\rivmolkcfbru.exe	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907524eedfadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cba49511ec936948af6178daf82e243a000000000200000000001066000000010000200000008990aad1f94fae6f85e67799481f5391d7596426a2cb351ad39400cba5c69b5f000000000e8000000002000020000000336013d17e66d86d8958cc2caad2c53c0f959e7c75460a2accd85c6541b8845020000000bf130661ffe8437238ccbba1522ff6133f3bfb5c1fa95b8d7642d1a2f3227d0140000000b069330d75c30a7eb46c8232fe725b26c07f73ee1e12631158c71e356c983f9949a4617cfaa256ae536e3a614666e9cf6d7b8e72b44bbb5454b9c8e99ac4d10a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422719860"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19ACE5D1-19D3-11EF-83FC-5267BFD3BAD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cba49511ec936948af6178daf82e243a00000000020000000000106600000001000020000000cea59ae2c9b4b8758b0f8c2f9bc036dbbb82b110397a560603e844c3144b302a000000000e8000000002000020000000191fdb1969c2998253d3a7bc56825786248b46f487cc52bbeea65b6889ab35e2900000004c7e1b3d602f0b24b717528184ec3fceb50c69105893babb675aaaff69a73ec615aa4d37f988039e6ba4e77f6d7d63b61dddda47b3e87ccca6a657873eddbe2b4a4c47b58784da605fae19e199bb6e7a2f1088fd2b32ee6b488b33e292863f6e8eb54e9700f6bab54d92e9d7e062f4e64891326cf097ced8d7caed099e2e7e5d0a052bbc0e715444a1940a3b028f02a240000000d9f04f569866b013239e0b673197d9bcd791c46004cdbfc098ead432d255f64d0324354695dce8f9a542d7c98ee0a2572adb7f1aa57fefb95584f8f8a0a3fffd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2128	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe
1208	rivmolkcfbru.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe
Token: SeDebugPrivilege	1208	rivmolkcfbru.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2120	iexplore.exe
1616	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2120	iexplore.exe
2120	iexplore.exe
336	IEXPLORE.EXE
336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1208	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1208	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1208	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1208	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2944	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2944	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2944	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2944	2696	6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe	29
PID 1208 wrote to memory of 2544	1208	rivmolkcfbru.exe	31
PID 1208 wrote to memory of 2544	1208	rivmolkcfbru.exe	31
PID 1208 wrote to memory of 2544	1208	rivmolkcfbru.exe	31
PID 1208 wrote to memory of 2544	1208	rivmolkcfbru.exe	31
PID 1208 wrote to memory of 2128	1208	rivmolkcfbru.exe	38
PID 1208 wrote to memory of 2128	1208	rivmolkcfbru.exe	38
PID 1208 wrote to memory of 2128	1208	rivmolkcfbru.exe	38
PID 1208 wrote to memory of 2128	1208	rivmolkcfbru.exe	38
PID 1208 wrote to memory of 2120	1208	rivmolkcfbru.exe	39
PID 1208 wrote to memory of 2120	1208	rivmolkcfbru.exe	39
PID 1208 wrote to memory of 2120	1208	rivmolkcfbru.exe	39
PID 1208 wrote to memory of 2120	1208	rivmolkcfbru.exe	39
PID 2120 wrote to memory of 336	2120	iexplore.exe	41
PID 2120 wrote to memory of 336	2120	iexplore.exe	41
PID 2120 wrote to memory of 336	2120	iexplore.exe	41
PID 2120 wrote to memory of 336	2120	iexplore.exe	41
PID 1208 wrote to memory of 2704	1208	rivmolkcfbru.exe	42
PID 1208 wrote to memory of 2704	1208	rivmolkcfbru.exe	42
PID 1208 wrote to memory of 2704	1208	rivmolkcfbru.exe	42
PID 1208 wrote to memory of 2704	1208	rivmolkcfbru.exe	42
PID 1208 wrote to memory of 2768	1208	rivmolkcfbru.exe	44
PID 1208 wrote to memory of 2768	1208	rivmolkcfbru.exe	44
PID 1208 wrote to memory of 2768	1208	rivmolkcfbru.exe	44
PID 1208 wrote to memory of 2768	1208	rivmolkcfbru.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rivmolkcfbru.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	rivmolkcfbru.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6eb348d4120cc4e66457c1149da9b38b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\rivmolkcfbru.exe
  C:\Windows\rivmolkcfbru.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1208
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:336
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RIVMOL~1.EXE
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6EB348~1.EXE
  2⤵
  - Deletes itself
  PID:2944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+btjhh.html

Filesize
11KB

MD5
d5d3ee74bee0bc31560afbdb63fc33f1

SHA1
ab2d337b85851b5c3fecebde11d89c64c72b79cd

SHA256
f47af19a18ce475ce45091ef664617cfbb8db1137a9e44347350d773eb60e922

SHA512
0937a510ed77dd0ccfcfaeaf902f9e2bdc180fe3633a47f93f7ff817a58bf90c95fe1989fec97f69486d1c87710e8907e78dc72b7d2f50e37a50d2cc47918209

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+btjhh.png

Filesize
62KB

MD5
2bf0db19e408eefe2cbe25613bab7595

SHA1
e6d963c55b4d720d2eee61872df7a3303056df47

SHA256
4ff0190920544325105ed8ef94040f38525fba03e4bd3feef776edd61030ec0d

SHA512
11e99f9eead01ffccf218cf41fb38587787ae9f9e19a879aa575b5cbc5eeedbfaa96b944f1791d4b390b95878704c5d82d11bc8ba4586b9013e22bbe75b65466

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+btjhh.txt

Filesize
1KB

MD5
130e9a87adb07229e5c7c2313f26010b

SHA1
49a91ea4cf6bd709757916757f36e5c46a0efc11

SHA256
185a72e33cb7ed30a5e2260e283739a70122acc249f4b126d5d9d856cfa2e976

SHA512
5120ab4b7449d4aa5de2fac0743221a7835ee7c7c461d0930584bc65a109f81d81dc6f587cb5f2046b30a2712272c801067371251cda78148aac218eb9333ae6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3d55c9584974a5f2c7cf21f2258ac28e

SHA1
74c0e7229324a7303fbc84b6d7dd99f6f5f3cfd7

SHA256
33366663d23d42f1fe19db496cf194cf76a4da1e68f773defd487df4cafb1ec4

SHA512
8bb8ed957bcb1064e159660bf782f719b1985feb71c2839a67d3207602643dcec884f793064ed99944d90fc0bd19a1f0e5047e842006031fd8f6c87bce65bfb8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
050c9f964051b49fe62907e467d6b13c

SHA1
ceb3ca1e7c0bd57a0a288db61eeb92569c79d742

SHA256
66d26f0212ea6d4da9fec407d845932c9a04317bb6cebed4aa42218d6dafbc97

SHA512
a0e991b0dd174a766947d1586ad27e266ba7bce67e25be2be52df1cad90f0477854a69780b6c3dc488270aeb03455d4f12a67dccf15359e4f932fc26c68e8240

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
9055370c4bd6feb67d13adc0337ac228

SHA1
20d804b60a95bb24db459b0b28004d3223394f30

SHA256
d20d7517b72a0ca49d67a44e76bca84934dfcf3d2c8e1df2807ddea36be703c5

SHA512
9cf0d54f23d292b0f865780c652a0b5024f412ce9e8585518b7effc5b3b325227e6dabe472c5d85d16aad770c0effbed8c548db9a439467872aa609ee241e2c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fddec31fd8fc392a51fbd19772fa938

SHA1
cab30af58616ddddaba0bce1c5d5831f58331c60

SHA256
0099ec5b09f906a7e330846bb98592b0a6812b406ac23fc3ddbf1388f677d0a0

SHA512
9d656eac072954990ad9689023e0ebb35734031c3152acf0fc6651aad212a40f0c8f64fef000eff752023fd49edf0d81036af06e144ccfb1aec735ca56f39e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
209885777d2f785c2fe368a0095ad1b2

SHA1
18be93f62d3e103b6e7b0889ceeff6eab9c2c566

SHA256
832b69a1bccc8c23dc603440ecf76c31a0ccc7f2a8a9ebcd5a4dbdada9f6ec50

SHA512
780f0930e7813b0820ab493dd67c187262cf3416266058aec36762f8d48ba9c7487e423d333d534628d3e2d0a47aea26da00ec578f738705dec63573ba9aea70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c5a28a47e392e3025a7a43dd9875142

SHA1
36d1cd2f3ce54862986ee7f8975eaf89bf56be9a

SHA256
1b648f573fb5cce8ec70d81b747dcc55dfaa99aa954417669328b3d58cb662aa

SHA512
850007b51d4cf38fa745d17d4f2328a7b9bb656215dae500fdf6d7da2294ceaf21c96994a972216859d4d8357a1cc2803c91cd89f7962b521878e6078f50270d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ceeb0ed84bf64026d58501e69b360ad

SHA1
4d703c77a53f8a433da4ac6dcfe1d3e49a2df69a

SHA256
b5024709c5992d66f0ab04729d8324aa53fba2b22d4efd4abcf722cd83acb7f0

SHA512
241e7cac2e0c3f5bb118d26d8340369246ecad8ff8f42fad98dc0cefa2fd6321f2e0439c88ef0a4270e93cbf0c733dd9526bc1714a9a0e24ccd4cb83443753db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
176d5bc3a36b9ee8429e38c147543bcb

SHA1
d704e5f31e15937bf18154a4e01353f37317d7cc

SHA256
428d09b6991c1775c9467367cf7417d1bf5a788b5811967b7576c2ac28db484b

SHA512
e923b98c754561cb4a4547868992172cd6fb99f9d0812d894d39eac86fb53cbf01291c4c0156eb264496344d61e41634b56d41dc48601bf166b205370492f5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d727c0bd76c4fa2133e676606e38666

SHA1
d59d519fec70ac5057f990e84416f3c2c588c98a

SHA256
008ea76f5cc5904b09c25280063f97d70629214589f33c4641968120c217b50d

SHA512
77e200018659fe21534a2fef12f1918af13d79738990ea99acb7227df5357f304e6f1d734a570bf6c621d17fd1400f068b3d590677a5fbb04381a8fa4516031c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c41ece6b8dabb56be6003e2bfccd1bcd

SHA1
bb1f9b69084c5faba380cbd25b1f865c815bc85f

SHA256
0ef414cf396d4157cef469e618f9606449a46fe101d6c07a68c14693d7e1fdd4

SHA512
7ccdbd9b67b0edd45d89c551a987fba59f17e09d7d4b1ba5e650bb961cae8bef46c00f9278d57f838c3b63d1fe506900a49773af0c52412b1202a9c03bbaff03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dc6c15b64428163b9988c0bb7dd8a8c

SHA1
33d2616ae10611f242e1d7127847c0a7f6a1a45b

SHA256
dfac81ea0337ec594bd92562c86268e33ea8a944243293fcc7c0e1e16306e027

SHA512
697054a4f9cea98bc2065b64cf62f6f9805edb5bbcf388052459eb99beb7e93b8a8b74066fc2ba3b5caa2560ceaa27980c2816335426d640a74aeb2326be472f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e56c9e86ab27060357c6024b0b01a7ef

SHA1
ac56fa699e68b67ffb3cd8d5f5f49826ef3d9311

SHA256
2b351eae5f091decd6b2e065ba30fb7b80755f142de1da21dd2f7f2b0cc2beba

SHA512
cb3542f6219950688251210ccd4fc1528facfd6cec6d389f04d0ed7e22e79106ce1af121bdc92f5f77ffa22da7531c98cfc43aff63156d54d717fa6672c4ba4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea80a3c6a85be9b015b915bce8cd6f49

SHA1
33b4f6102a7cb36351438a2375110d33659a4943

SHA256
b1fae4fe94da8d7e74f09c941b122d3099c77d430f0e4c19ba21eb421b2162a1

SHA512
c02a0caa6f731fba7e19c3225ed5e3c9bde20b8361fbbf2afec4c4c2a6bf9f6569a2aa2263ac4b83f39f9bb24dec901aabad0c134acfe88a16f797e5fa0df29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3e230eca0111de850ce156e2bfeb5ec

SHA1
7bcb1c7bd0cd55ac6e768ec4cd7ba46250510f6c

SHA256
a185cd698a47d5618cb4165d8c78fddae52e5fa92309bc72bd3020b29add6cf5

SHA512
9a135c0f0be575d86425d017be872e97749f6358721c3ae184a116e50f71658f56076287a01c9986c260de96d0b4a22dcfc21f5c85b86e59ad748fab5dd537d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
928477b743b8310515a86ae49e11d026

SHA1
f6fc8df75aabbc6a32e10be14b01e8241030c683

SHA256
7a63025d33df09a9c3fef2d71f35856a3aaa64e73105b7b3334b2fc2fc489575

SHA512
c09ba04fdae54fd29e2891d5aeb783746ee8dc024ca6327930248aa4fcb068d15a522ea68614552829234339f0f3423acbd83ac5e68ebb2836776f56ea17964d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bcb921e0cc750d1751c05dc5b43145c

SHA1
7cc15afd919d82c17e2f1325b3dc0aea887746bf

SHA256
7bbdbb3d75dd2cd13f06f3e142799c9924a9f001a40049ff03b2ec2fbd935f61

SHA512
10f562a63897fd2b42572b0ba77e373c6a6f873fafcee8a8f6e42856da70877c66e948d022124d4354171879bb05a9a2780d923fd21be6c0fd98e40a8027fb82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4573cefa8f529831a7e202da9036637

SHA1
a092716af7e496811339cb64cf8cfc749861c2e0

SHA256
9c847b96ce6ac6c652e0baac423933ca9743f2adfbaeb1c7750e9a8f92f6dffe

SHA512
97cabecf5ec5a8d6fbfa75ec1847921a892437fe98de18757ba20187405c9fc9b7c35d8b4e950a4a00e974475371c1fc2f2edc3c32771c70f2ad19b085092692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c31edd78475f7752ba3d0adb62bf3038

SHA1
20a00d7a7a0549f961c34cd2c5c414ca24299a0e

SHA256
f29a690ac1fed2a5f3c885e933920e2b4e465c440c0890b81f266cb1dc6a3b16

SHA512
8981aa1d5ab1dfb79ca3ebef61a8aadf9dd6ccc7c0a0ec542cf57f377a9e40f0d086001fccbf3c6a5aab38ec7ad520a0c77c0edbe9ba209ff22ada0e9de104c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b863c30011c1db4a54de400045a6b4c

SHA1
14578b4fff057c0dea4c64b72adadd78dd46d8ae

SHA256
820527f3f227803ad41735abdd0f4a9a8bdc33b8dc2c8225bb68eb19e9af7a13

SHA512
edbefb96c9210ac4dca8709723fcc4f71ae0e3985e15c4e5d44e05ee2405269da2267aacaea9ae4a0edf5f1b3ff72ac05e0043d24937c030749ba545f4b7e547

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0091c9036fe351c07d5d8b30921e8d0b

SHA1
7267079f3d68c89bb875c5a2892d404153c29690

SHA256
3e0754b4c7ac99b95e9268a42765ba625a379238abf84fd7d382e1229d50cfb4

SHA512
0541dd17dbc29bed97248cf988cb9c59cb58a0c81deacfda9c9f3ae456bc9cd74eda9388255695fd47d1bb170a1cf93be4559a423cbe34c646998dcfba36ea1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c139b73b2beb6486bccac5a4fdfa3c5

SHA1
26e156977829a87dfc2ed3070483d65555de7898

SHA256
1207e6d2596368962c2603c92a1a004672e20fe2c4e281a58fefef3d95f63b21

SHA512
9e24c044b611ab2cc843dd341aa5f3b9dce23ba56004fb9a66e524f8c2dcd24d45b13ce8b4cfdedf0a8ff08474fea85607be7b7bd5dbadc7277437f7c59ea3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c05dbbbd39be6e864f4ea85bac363a9a

SHA1
ecb350b32eb73b66a31b057d16d6f1f8e6020498

SHA256
861f57d8f220059e3b7920ec4b7e4494510447d82f0f070d033f6dab68bfa46e

SHA512
aa39351810c822f5941c6a9a5affdc6c5c62fed99a134892cd825b76c8be64aaf9fd5492fb329f22cb1295981d1fcd30d1904e1754b3709bcc09f2b4121e6fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7efbaec2e96dc6a4ea22bc6c5ac128f4

SHA1
d547d05d8889ef2469e40fc7f2fa42727a54e995

SHA256
d9b5b701fc86137ef653103d80b18ef134d71fa16abf232f6549430999e7d4ab

SHA512
e60ed02af561a579dc22d556d6ed88e78b0a2f4907a18ccb595aebdc52887ef6cce832dd7b2980e08bed275aa874e0a658f89b77366f4dadcd9a4f17d7916747

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e3d1f2cff31ec2f415cda01074e5064

SHA1
9f4573d535f0ce31fa1feaa8b1031bfee87f994c

SHA256
1d4dc4cc788ac4dc814fe9355f6dcbb6768043b8ae7a5d9b8d462fb7c9cc35b3

SHA512
b7b9a9355aeecceaa8a4447ff1700390d7e737a635f6fd1fba9377b1feb4a8d71fa9fb5d9fa80c8247cc82cb177066c265554937326f9357a9214044ac8aaae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B78.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C69.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\rivmolkcfbru.exe

Filesize
240KB

MD5
6eb348d4120cc4e66457c1149da9b38b

SHA1
d203ece9430ab4a16cbce7911cad11105db9769c

SHA256
0c2640849f10fbbde09768b3a3a9cc2ad3289f319d8bb657aa02b98001715fd0

SHA512
9eec3639cdb4aeeea2f982d15b8d2b037a9a1a627e612e577716570e00edcc3583834ce35e223f29bbc29aa97bf90ba3916dcf2ee0a96cc8268cfe81430c91f5

Download Submit
memory/1208-9-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1208-8-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1208-2051-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1208-4882-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1208-5983-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/1208-5989-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1616-5984-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2696-11-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-10-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-0-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/2696-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2696-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download