teslacrypt | fb8faabbb27afe1fcae20d8d1d10896d484c42bc7bd714bf5ed4fb783945f0fa

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe
Size

347KB
MD5

a362450bd0ca83110c1509f09497f76c
SHA1

6d417bccb8e80cceac70be15040e82a0a3471b82
SHA256

fb8faabbb27afe1fcae20d8d1d10896d484c42bc7bd714bf5ed4fb783945f0fa
SHA512

c3cc44e6f6ba42fb97c1c7b313f1f273306c2d600e59388a8830fee4eec6c3dd1844a2a353a33157726a75ccc5b18975a7ba76c78f519adfc0f059c7f74e6c05
SSDEEP

6144:Zul3JU9DhrPjzXZxOMhb2ZLWc4pPLJahf5WbQlFIJ8WDamSETrNVD2Og0z2Wov:ZulEhriMYZLWcKPVa5UO6J8Wum9TrX2h

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pvcae.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/64DC63C0248CEA55 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/64DC63C0248CEA55 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/64DC63C0248CEA55 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/64DC63C0248CEA55 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/64DC63C0248CEA55 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/64DC63C0248CEA55 http://yyre45dbvn2nhbefbmh.begumvelic.at/64DC63C0248CEA55 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/64DC63C0248CEA55

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/64DC63C0248CEA55

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/64DC63C0248CEA55

http://yyre45dbvn2nhbefbmh.begumvelic.at/64DC63C0248CEA55

http://xlowfznrg4wf7dli.ONION/64DC63C0248CEA55

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (389) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe

pid	process
2680	cmd.exe

Drops startup file 3 IoCs

Processes:

lvvmahpwewsm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe

Executes dropped EXE 1 IoCs

Processes:

lvvmahpwewsm.exe

pid process

2996 lvvmahpwewsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lvvmahpwewsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cnsvcuyqdwqh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\lvvmahpwewsm.exe\""	lvvmahpwewsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

lvvmahpwewsm.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\DVD Maker\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_RECoVERY_+pvcae.txt	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\_RECoVERY_+pvcae.html	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_RECoVERY_+pvcae.png	lvvmahpwewsm.exe

Drops file in Windows directory 2 IoCs

Processes:

a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\lvvmahpwewsm.exe	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe
File opened for modification	C:\Windows\lvvmahpwewsm.exe	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000f93886046d94838b94cf8567186fb80a0746581f61d4e5abe718e3b70304070d000000000e800000000200002000000029f7e327872bb046dd1a5adff1c6a9db79999e28113e958fa272e8ae1774172d90000000b4f6beff038bc418dd299dd019b08d6ef105e4422d4424c7a076a8cf89dd4fe96306e7a2abed91bae3cadeb8793cabfb97fa792d482da372c417e0f92afb872930375f433ed48abce798acd65400f2623f18de754e45feab8280bcf1f0f3a0d03c2876be2ba4ee48618b212b7ef80f51d971e9ebb6a9c886e9af7ca02a855c5149f1d97adbdc4c6806b578c0fdb4190f40000000f329d84d89f6352eee95690a331be715237bc81870bb743ac3662bfc949fc9160597ce2bbaa7b89c7ea5299fbd1dd6dc141960532f56404a09207b3f5a7c1fd5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308fff4232bdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E2FF461-2925-11EF-8A4F-62EADBC3072C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000068ab76c6fbf6d5df2b50d7b42838da634e19951211d3201da30359b8b2beec93000000000e80000000020000200000002a74dd996d6083f3554710a61cbf080057357e3c311e49bd51bbd4640dd065a620000000d749f8eb4fcbffa42fe4ccd5addf6965c5076308680a86a9612613fcf746dab140000000f461c25e802686b25c07866747ef359fa1e02e20067894298e2f83f26ddd5ed55d561cb40d0c5f4d2a93cc7a4cae965df5a649f33748cae75443fa0bb3d9c6c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1312 NOTEPAD.EXE

pid	process
1312	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lvvmahpwewsm.exe

pid	process
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe
2996	lvvmahpwewsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exelvvmahpwewsm.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe
Token: SeDebugPrivilege	2996	lvvmahpwewsm.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2472	WMIC.exe
Token: SeSystemProfilePrivilege	2472	WMIC.exe
Token: SeSystemtimePrivilege	2472	WMIC.exe
Token: SeProfSingleProcessPrivilege	2472	WMIC.exe
Token: SeIncBasePriorityPrivilege	2472	WMIC.exe
Token: SeCreatePagefilePrivilege	2472	WMIC.exe
Token: SeBackupPrivilege	2472	WMIC.exe
Token: SeRestorePrivilege	2472	WMIC.exe
Token: SeShutdownPrivilege	2472	WMIC.exe
Token: SeDebugPrivilege	2472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2472	WMIC.exe
Token: SeRemoteShutdownPrivilege	2472	WMIC.exe
Token: SeUndockPrivilege	2472	WMIC.exe
Token: SeManageVolumePrivilege	2472	WMIC.exe
Token: 33	2472	WMIC.exe
Token: 34	2472	WMIC.exe
Token: 35	2472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2472	WMIC.exe
Token: SeSecurityPrivilege	2472	WMIC.exe
Token: SeTakeOwnershipPrivilege	2472	WMIC.exe
Token: SeLoadDriverPrivilege	2472	WMIC.exe
Token: SeSystemProfilePrivilege	2472	WMIC.exe
Token: SeSystemtimePrivilege	2472	WMIC.exe
Token: SeProfSingleProcessPrivilege	2472	WMIC.exe
Token: SeIncBasePriorityPrivilege	2472	WMIC.exe
Token: SeCreatePagefilePrivilege	2472	WMIC.exe
Token: SeBackupPrivilege	2472	WMIC.exe
Token: SeRestorePrivilege	2472	WMIC.exe
Token: SeShutdownPrivilege	2472	WMIC.exe
Token: SeDebugPrivilege	2472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2472	WMIC.exe
Token: SeRemoteShutdownPrivilege	2472	WMIC.exe
Token: SeUndockPrivilege	2472	WMIC.exe
Token: SeManageVolumePrivilege	2472	WMIC.exe
Token: 33	2472	WMIC.exe
Token: 34	2472	WMIC.exe
Token: 35	2472	WMIC.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2852 iexplore.exe
1884 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2852 iexplore.exe
2852 iexplore.exe
2232 IEXPLORE.EXE
2232 IEXPLORE.EXE

pid	process
2852	iexplore.exe
1884	DllHost.exe

pid	process
2852	iexplore.exe
2852	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exelvvmahpwewsm.exeiexplore.exe

description	pid	process	target process
PID 2204 wrote to memory of 2996	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	lvvmahpwewsm.exe
PID 2204 wrote to memory of 2996	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	lvvmahpwewsm.exe
PID 2204 wrote to memory of 2996	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	lvvmahpwewsm.exe
PID 2204 wrote to memory of 2996	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	lvvmahpwewsm.exe
PID 2204 wrote to memory of 2680	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2680	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2680	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2680	2204	a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2472	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 2472	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 2472	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 2472	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 1312	2996	lvvmahpwewsm.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 1312	2996	lvvmahpwewsm.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 1312	2996	lvvmahpwewsm.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 1312	2996	lvvmahpwewsm.exe	NOTEPAD.EXE
PID 2996 wrote to memory of 2852	2996	lvvmahpwewsm.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	lvvmahpwewsm.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	lvvmahpwewsm.exe	iexplore.exe
PID 2996 wrote to memory of 2852	2996	lvvmahpwewsm.exe	iexplore.exe
PID 2852 wrote to memory of 2232	2852	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2232	2852	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2232	2852	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2232	2852	iexplore.exe	IEXPLORE.EXE
PID 2996 wrote to memory of 3048	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 3048	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 3048	2996	lvvmahpwewsm.exe	WMIC.exe
PID 2996 wrote to memory of 3048	2996	lvvmahpwewsm.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

lvvmahpwewsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lvvmahpwewsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lvvmahpwewsm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a362450bd0ca83110c1509f09497f76c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\lvvmahpwewsm.exe
  C:\Windows\lvvmahpwewsm.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2996
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1312
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2232
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LVVMAH~1.EXE
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A36245~1.EXE
  2⤵
  - Deletes itself
  PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pvcae.html

Filesize
12KB

MD5
780334e656e662bee13f1d747a39e604

SHA1
f40324bbaed15a2ec0b3cfd190d9eaf34a7741b5

SHA256
3aa3719d71b99aae9ff662aef3d9da73d6cc699eaabb5677ef71ea680abf493c

SHA512
38463089433c4ca6c7c2b7d71f6d23423a57f42c32e3e1289e0eb2323d714e8d6973bb1eea3f2bb00fa0570cc5004db92d4f240ef2a7c65b7fdaf0369cca78ed

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pvcae.png

Filesize
65KB

MD5
787b23da7b84b92342af8367b9a656b9

SHA1
3e5904a0e82d09d003fdd50d398792974771ff90

SHA256
111242744ff8bd61e7e194cebd8ad2e8a3260212b6759df5d0bb91311ca87ee5

SHA512
d1f75b12faae6c0acbd88300a6662dd7edfb2cfca2f029597a0a51b8e2f6adc168473b17777fb9974c8c822d1c66b13a380a2d8cd53cfa23a9a40e7660eae86d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pvcae.txt

Filesize
1KB

MD5
081821d2da29263aa1db0033efa726ff

SHA1
c4ef78e1981961357d7055d82071f017aed0666d

SHA256
d29af3b492af3a2cb711ad8c59f69c3fb176cfbdbc65f45c413f7bb19e224f17

SHA512
f65657ece984c0b1bc526a3717d447d9f09487123e6267e24973e4b9182e60c59a2ff8559f7f790937895710dd29507a2a4ad0bbe1d49e114b3123dc3eee34ed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8eb195721c1217e93d5291a77bfb4d97

SHA1
599f40b2dcd7f7faf907017fe9a8e7de2acc2c94

SHA256
3bd520e69f79329061e405edfc72fcd62e4a7680c58b1f64b638c7fa3d202e76

SHA512
181daefe2ab00fa561e9188ef9ca0825a8158f0034a18d6d946ecd2d27fcc13bc6ecf64700e8ef4663844f0811d0589870760bb9eaea141f53c6b58dfaa8bfe1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
49b0b695ecf218735d74ca4d50cdb8be

SHA1
001aae33172e1e3e55f04612ba1aca3a0af5db04

SHA256
d8dd09e02140d34eacaf4d673129eef890ec4f1f6c460d541a7f84e7f232e748

SHA512
1e04dbd471370dfc91422d4a754a7c89b0cd89d02ecb92393f5dd92e8b2312f8ddd618a8f491420c994f8b4aa25514f238a154f3a859dfecfbd2356c2d92e694

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
1282da44fcce5703515b75ac930d5632

SHA1
ac34d2b8ae0c00be8daf69fba8734b55cfefc942

SHA256
84aa937fc53beb3a3f408a82937dddafd15a55f7b443a8595152b1b2fa7b8cdd

SHA512
1fe25fbc77d383bff13daf617884b402301349781f8fa97380b08c522fce72bf25922c0e0feccbe0f5d31e6072623aa544dfd26e6f607ca2d92e6d4306951246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae72b3094c0b87e7cf6d75290797ca0f

SHA1
706aed1e2241840722cd48e422385a97db7c3474

SHA256
60c96cf2fabe689c9968feb0dfd9463d15bec9f3b4d6182f81905a98817dd0af

SHA512
bcc45f6350cc064904f013ec296ba1687b30f4fd8d7e0c25bde1638cc08bf27c2a07278aafb81ac8a295c0fc3486ad24518e6f014d2f9c4682d7e942ca852450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9f0cf2b09eb99d0da4b24e5314f4807

SHA1
36bd97bae1c0e29510785c806382c40b01c79470

SHA256
773ed25ec6b06063b8a2e3f80b9e5d728d06a1636c059c28b84cb0b1d0480345

SHA512
6e92fb81c0b895a6a6f93443f0666f574778e6f8af6c192e9f705ca72b925b1ba7d0b2129ef208f8663ae7b6cf101b8fe815564e6e62dbb906c049362a7b29b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f216ba3359c47cba1b169ca7a001852

SHA1
8ed04a0afd5cccc82da9caf4e026e6452a5fe480

SHA256
6adf85c41862a0544f7e8c2d3bd73c9b354abb066f3f642173e67abc0049fe60

SHA512
2dee7970295d9768351751466c0c495eeefb55ec5d38c4caa78c62c0f21af0c96c676670d82831a29f57bfb25b781ebe9fbc8dd32778bb4e35e2441d210ec26f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a002b4558a00cad87edb19d95d6e1ef

SHA1
3499bc09a4bfcc637f6f37cc852c7684b8e31c38

SHA256
d0183ebda3a01d03f89818ccd768049f5ddef0ad281d6f962e25f8926922b120

SHA512
70f17d85bca2ba4d1ad2eaf086a3237ecafd514936f2c42324b5a4d693d96bf98d807762f24e2a3c56adc34aca0b3d595cbfe768e1497ee094284a9f2ae15b2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dc08b2234436908b23dfc59ac1faf62

SHA1
725f5105d4a3c954fbbcfab2d8091f3584b1034d

SHA256
1af4515d38620451d2ee8ecd7bc915c1a7112f5646eedc45e5c1650e7ae55b95

SHA512
c03b4d99f0d69664344062dd42190e6a4980a6496d2f3de7fc055f9b82fe2740003bb00a9caa056b60ada00e2e40d8ad1f39bd07bb8a96d1c4171adb0231a506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb5f482517d58bfd318400a89bd29266

SHA1
285aa37777a8597efb0be3a7e4522e9ef06dc12c

SHA256
1994ed409995f600561a2fc5afdfcc7974d6d60c770c384f085ba4c92be89d63

SHA512
a807baff8486f97faa56a22cab1def7defd868fbefb869d360408e23aa7372a18cabd5104e7a97c2d56fbebd03d9fbe6b4f97c7e612314784932cbbbb337cc2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6afb53ab6cee21bfa23fa14c369b975

SHA1
ebdc5846c949aac589049dbc8ec99a0a542f2703

SHA256
22fe180ce37e7e983bed602f51cc107e28a7d8112d90dc5b68dcfab5f2dad232

SHA512
25f5e50111b20878d7ee51176c386083f456f28859d27648f9e3dda54c545a82230d9878fcb27e24f4c02a3337b7fc2adbd86445c1ef02ff6426de3c22c01887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd1cc0d110504f5c98f48b5423a72068

SHA1
f01b08723545a52beda2d9a4ed920f1d766d5548

SHA256
87850383471dd40c990028dabc236484c31df967241a4065cbd984bbce05ef78

SHA512
3c4a9f1b648a019237931646122cf6e11d60ec78a79f944ed1f611b8f05acfb50696992253e9292231aa75e90170fc9f3f4b612551efe002737d55d527a13786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b8da555c8e9bde5b899dd61843c96f1

SHA1
27755fe016e41629f636949fa654ccda065591d8

SHA256
d4937946f3c9951f45807b807df60f40e169a45cba0780ce4bab8482f7437564

SHA512
dbccd456d69cebb74bea7486df5a9b9dcfec789d0c8c96c9ec469133268f6e2943ceba089c57c52b202d04ee0ef8be50e1921255ef0c11670951f4813ff56928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c97b5e13a46ca1ee4c6d7349b38b116b

SHA1
9b67b7b4eca1fa34a62c1b315385751e6e506b36

SHA256
090b55458354d012db751dc337c9ee543324fb28b80c31cf6e11a989df0aaa49

SHA512
96d3833c51a7a1caf384c4604dc7ac0f5d9c883ef957c9c53f07def8c8e01eb172bd5f60af2969d17ef6201f541387e00906b93081a5e725521b0095c958a9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA4B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDAFA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\lvvmahpwewsm.exe

Filesize
347KB

MD5
a362450bd0ca83110c1509f09497f76c

SHA1
6d417bccb8e80cceac70be15040e82a0a3471b82

SHA256
fb8faabbb27afe1fcae20d8d1d10896d484c42bc7bd714bf5ed4fb783945f0fa

SHA512
c3cc44e6f6ba42fb97c1c7b313f1f273306c2d600e59388a8830fee4eec6c3dd1844a2a353a33157726a75ccc5b18975a7ba76c78f519adfc0f059c7f74e6c05

Download Submit
memory/1884-5877-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2204-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2204-0-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2204-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2204-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2204-11-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-723-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-1348-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-5881-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-1997-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-601-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-5876-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/2996-5846-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-9-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-10-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-8-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-4894-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-4115-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2996-3216-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download