teslacrypt | 5f5b2501b23fd3efceffa161bb51b9721a10f583e85e10a287faa170d847e1cc

Resubmissions

04-10-2024 12:49

241004-p2mr1svcrp 10

04-10-2024 12:48

241004-p1xwlavcnp 3

04-10-2024 12:36

241004-ptefnsthqn 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe
Size

342KB
MD5

1363011ce43fdadbff9360a2e2716731
SHA1

d980ddf282aa7170c38caaa4fe73d05cf04d9fe6
SHA256

5f5b2501b23fd3efceffa161bb51b9721a10f583e85e10a287faa170d847e1cc
SHA512

355c654a7226f6c68367f0ede1f294d84f5f2d8b70757c9c0b20546589971b5534d67b0a99360acca7d5a0251aca0339b55226e859d5d53637a5491533072feb
SSDEEP

6144:wlOK1RBZgYK6aOtAOv49cXWF8eM0jF47fodLQdq71wsMrMYNVnL:wT16YKitccXWjTvLQdu1nMrvnL

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+fafvg.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E57CBE074B5AFD2 2. http://kkd47eh4hdjshb5t.angortra.at/E57CBE074B5AFD2 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E57CBE074B5AFD2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E57CBE074B5AFD2 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E57CBE074B5AFD2 http://kkd47eh4hdjshb5t.angortra.at/E57CBE074B5AFD2 http://ytrest84y5i456hghadefdsd.pontogrot.com/E57CBE074B5AFD2 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E57CBE074B5AFD2

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E57CBE074B5AFD2

http://kkd47eh4hdjshb5t.angortra.at/E57CBE074B5AFD2

http://ytrest84y5i456hghadefdsd.pontogrot.com/E57CBE074B5AFD2

http://xlowfznrg4wf7dli.ONION/E57CBE074B5AFD2

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (397) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1800	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+fafvg.png	ognvtpnytdvt.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	ognvtpnytdvt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmpoarqssifd = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ognvtpnytdvt.exe\""	ognvtpnytdvt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\Recovery+fafvg.html	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Recovery+fafvg.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Google\Chrome\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Recovery+fafvg.txt	ognvtpnytdvt.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	ognvtpnytdvt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ognvtpnytdvt.exe	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe
File created	C:\Windows\ognvtpnytdvt.exe	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ognvtpnytdvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000008388f3a14c8df0ae9e8582fdbd0291f0748cea92f03e9f8dbbdf0c68f3cb0681000000000e8000000002000020000000f392d36966aa602a15cf1de88e3c85489fe2fb31c8230d5d7f9df268599c5858900000006f6477f582d8b0bf163773009a5441a149c7c247abe868d80909e0a9d7511794751c3ec5f50b7931248904a39def9379406319046277109d2313c5d7f6e58ab41df42050a5ef5cb5a77f533f407e5fed1e1316698ad2aaf0513646552e82ed1547a603a2da60606c0a414d19454bce252b573d4dd7958a17870220425a9d99fb8f6b068f0030366aeb683b1310aa042b40000000ee2e8b743bcc0e9a9d121e20321ce30cab89a05f0014fe273b7e32e6032670f168707c62fe4888a01f7c5ea9ae128c61912d374a2d6f4522ab773da4f5d840eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000002debfabdb73ec2c3c208124cb89e2025cc5e397340d30dec29fe338fac4ec2d0000000000e8000000002000020000000f05cc5fb995658934b2d22103b57c91760528fd2ca4097384439994aa97ce0ef20000000a7fb90026908f4315bb5cb7469d7889bd7faa79db0fb499bd7ea60cb7f006e5b4000000027cc367ce146a92755cfac0edde026f5606f4bc03ee017a79a18d5dceb31df4657b6defa697c47309416ec56ead69c66a0ff243b1f7862d51e2094edf25c8de8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e05d5d015c16db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434208071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CEF72E1-824F-11EF-8334-424588269AE0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe
1944	ognvtpnytdvt.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe
Token: SeDebugPrivilege	1944	ognvtpnytdvt.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1400	iexplore.exe
2652	DllHost.exe
2652	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1400	iexplore.exe
1400	iexplore.exe
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1944	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1944	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1944	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1944	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1800	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	31
PID 2976 wrote to memory of 1800	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	31
PID 2976 wrote to memory of 1800	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	31
PID 2976 wrote to memory of 1800	2976	1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe	31
PID 1944 wrote to memory of 2348	1944	ognvtpnytdvt.exe	33
PID 1944 wrote to memory of 2348	1944	ognvtpnytdvt.exe	33
PID 1944 wrote to memory of 2348	1944	ognvtpnytdvt.exe	33
PID 1944 wrote to memory of 2348	1944	ognvtpnytdvt.exe	33
PID 1944 wrote to memory of 1724	1944	ognvtpnytdvt.exe	38
PID 1944 wrote to memory of 1724	1944	ognvtpnytdvt.exe	38
PID 1944 wrote to memory of 1724	1944	ognvtpnytdvt.exe	38
PID 1944 wrote to memory of 1724	1944	ognvtpnytdvt.exe	38
PID 1944 wrote to memory of 1400	1944	ognvtpnytdvt.exe	39
PID 1944 wrote to memory of 1400	1944	ognvtpnytdvt.exe	39
PID 1944 wrote to memory of 1400	1944	ognvtpnytdvt.exe	39
PID 1944 wrote to memory of 1400	1944	ognvtpnytdvt.exe	39
PID 1400 wrote to memory of 2864	1400	iexplore.exe	41
PID 1400 wrote to memory of 2864	1400	iexplore.exe	41
PID 1400 wrote to memory of 2864	1400	iexplore.exe	41
PID 1400 wrote to memory of 2864	1400	iexplore.exe	41
PID 1944 wrote to memory of 2980	1944	ognvtpnytdvt.exe	42
PID 1944 wrote to memory of 2980	1944	ognvtpnytdvt.exe	42
PID 1944 wrote to memory of 2980	1944	ognvtpnytdvt.exe	42
PID 1944 wrote to memory of 2980	1944	ognvtpnytdvt.exe	42
PID 1944 wrote to memory of 1568	1944	ognvtpnytdvt.exe	45
PID 1944 wrote to memory of 1568	1944	ognvtpnytdvt.exe	45
PID 1944 wrote to memory of 1568	1944	ognvtpnytdvt.exe	45
PID 1944 wrote to memory of 1568	1944	ognvtpnytdvt.exe	45
PID 2972 wrote to memory of 2464	2972	chrome.exe	50
PID 2972 wrote to memory of 2464	2972	chrome.exe	50
PID 2972 wrote to memory of 2464	2972	chrome.exe	50
PID 2824 wrote to memory of 2164	2824	chrome.exe	52
PID 2824 wrote to memory of 2164	2824	chrome.exe	52
PID 2824 wrote to memory of 2164	2824	chrome.exe	52
PID 2624 wrote to memory of 3012	2624	chrome.exe	54
PID 2624 wrote to memory of 3012	2624	chrome.exe	54
PID 2624 wrote to memory of 3012	2624	chrome.exe	54

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ognvtpnytdvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ognvtpnytdvt.exe

C:\Users\Admin\AppData\Local\Temp\1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1363011ce43fdadbff9360a2e2716731_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\ognvtpnytdvt.exe
  C:\Windows\ognvtpnytdvt.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1944
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1724
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2864
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OGNVTP~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\136301~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1800

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6969758,0x7fef6969768,0x7fef6969778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6969758,0x7fef6969768,0x7fef6969778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6969758,0x7fef6969768,0x7fef6969778
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+fafvg.html

Filesize
9KB

MD5
ce1f5824753bb7139bdd16929378abea

SHA1
13fd9fd50ebe65d624d9bbccb7d0390f8c67c2d6

SHA256
574944fe0c24f60c9c58ba1a8776e5af49aae30f937510ad35ceeb543c63e8c6

SHA512
113cad9f610246d2b0bdf827a0adfdb0449351a4a8b5ba574dd55db91963b30f3934bc1eddd18f96c594e419f1972b0a88722abec8bfb6d4449954527398cbfb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+fafvg.png

Filesize
63KB

MD5
f58af887b8bc38f4b75f378df93973ac

SHA1
78e5e80e9b4422df0a45993dc9cf4dba8e7e2f38

SHA256
513b70e5d8260733e7ea3b36d06feea50238900cbdee65af6f66f211e8ed3fb2

SHA512
d1be5334ea556882e6d96419058e42778f6ee18af3d367c897cbf4782a295e7131ff036cdaf5633219c7a3e636ae2ccad8c2314be1276a896635684b765fe32f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+fafvg.txt

Filesize
1KB

MD5
5faff1992ee39e2943c4b9ccf547b41e

SHA1
94dc69e0b5df17fafb3a3de72518278c13ea215c

SHA256
1cac857d189634c4d8c962adebdd7b927911273d0c02493589380cb3f29357f2

SHA512
7ff72f23fd3f1763d150087054766abccab62282a0dfa8799240efafb96a3064d32f31ff3d475879177e9ae139efd387bf22bf305bed12f522858ff81701817a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3479498be1b670726a6aee1481b5c03c

SHA1
41cc1a9e43baef5784262b555aaf52fc724423a0

SHA256
2fbbb271256eb0927da5cf054ec87b676b3e051da2f9e7d18d326f76b32231e5

SHA512
a15621ce4a97313d37c556c39252e3888d79631a42cb72185312a0104e877a3e4ef0048a33315d40f36f28fffeb2452aef47215b59ca9e84083fdcd3ccbbe581

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
d02883fe203d2e4b88b9c86df4668ac7

SHA1
18999f792c3fd7c08aa1bb5885b68737ffdafce3

SHA256
0a7f86541dd7c83bf7bcf0f0e87cbdef253af4581344fd7f328226e2a35ee0df

SHA512
3e64e4f9a76196541dce5dbce6d8a24f05155d577f72e5ea60b24b4beed25d45b2bd364da949ef843e5ceba0a5c5cf94693c2cc639121cb7804815ae999aae2c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
5f2e0ce2dca4f91cf03a5657961332b5

SHA1
5cc3afd39995202d31da6f309d17af5afcde7463

SHA256
e02a9ee001c89130c98dcdb682378fb706010886a10e91086eda59c3c5479b24

SHA512
dd48ffe83e6bfbdcc2631eb537535e494e636d2ae8c330344e4fb1876db61632756426056fc3e8f8bfacba7434486df4e55568b5ed4670d8a04c6c7509bf09bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dec502777321d0d2c5b1b940da3f4f06

SHA1
93b70d9b0b5b4805036a0014de491ec7b324cd89

SHA256
636c92e83637fe4d49dfdad05f7cca5bb345ed4ce3d0ebbfb092d7676aa7537e

SHA512
b5fd7922f06fce340431d0719e778f15fe62b98b8187a4d1bbe8e67ee0bc4af615c101a06adb1ac99b77225ce1ca3477146aa93a7a6476dc437948d168ac8214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0988bc2621068f3d699b41c77c2bd23

SHA1
ac5b9e4ea82565f708ae739c58a24553a4396d3e

SHA256
6cfa6f86828f7cc37fe17f2daf114f88850cf4ad298b2fb4932b96e08cb46073

SHA512
79132f38fcdd407fef151c944be59dc241e5ac0cd636de72a2e6f5a6e5154dfa34eff8898f7bda0f6de283ccc8d2bc36f4e3ba7bd5193ebd18381a667710c07f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e44022dddd366eb033d92e860081b5

SHA1
1ef28b08779845694b1dd2f89259f52eba455eca

SHA256
66bf9c8740a001cf7d84a01ae46134ccf8750d37747d9b8a1af3afb46f245c75

SHA512
c5cde103013ee3a754042fdd00e7cf6ecb9f9e039fac77f827a37133e7bc46a5a5915bbd25b64523d61433ca668b0bf32ba9d54beac26f5ceb72597ee0631bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50c49a867ad3db260c09b616458a5b3d

SHA1
3c3341f9718e0ae1955b1a614319a04ca401c3d9

SHA256
866afe4e5e79d844c7426bf5b27d584adeeae8b25f515608d9544e0779f88a75

SHA512
f5c4bc374f67523e32421423aedc29265dc30269249825715be8218d1e7682da9df505e82be33ba4747411068ed26708859ac6985d8dd9eb2b0ad7d4afe05f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335789da180e2033446f3c830c247c60

SHA1
aa3850ea18c0eb40d9e7f56a58b5884f26a0c7ff

SHA256
55733e9e3ab9cb54e4d38e149fe358872efe4d0da6db841dd64b243e091ee373

SHA512
5a35901753540427f26804812b9abd4015cd54023f22342ab2a61f09278c6101d5275ebf17c3540f052711c63cf9e464a3ee17d4eda6610e91327954eb771555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e2deca78bd26d0ac35a89fa1241454

SHA1
069d890b604c648c253ee0699a51963cace5ce5d

SHA256
d9c944b95eb48114ed97a5daf28852ce2785b509e78b38ce3200b31a6eec059c

SHA512
b1c128cd8fa3bdd05f5e9b7fc5cceb10e74ec97e497e74ed75be9d4c2e7ae805f35b2db25b0b7a6364756c68c57f6b3a7d9e464fc6bb8c71fc3d8124dd78fdce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1a2258183148ddc010b5e6dbb42dd9d

SHA1
6168684652e2fb170bf02a6067b4453795b7ef0b

SHA256
a1153d37c65de58a886c0b6d5696aff7e1b5875df0916a6bbfb68a845abf4cd5

SHA512
906c222607009ac40ca508e35d2f0bedee6b720bfe2105d66ba442c0163ea429c2ff16ad7a5ea86be60885dc811e9b45a5d6381fa205f85d086a835846c29f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d846f35bbaaa6a19da6341fcb70d92bc

SHA1
d337902340f660771d40362c7fc2bc6b70af3395

SHA256
95d1ea67436e1ee6278fa6d1402bb3cecc2adacf35dbaf760cb9f26ae1d507a8

SHA512
04ecc3fd1082b779094f62df61e65b0825ef30605a0706664865c441d5c964ce75058ea7f62d12d31502ad49cd0ac81a5d8fce433546dec8da4c15b88c624991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e9d1c65778126a0d792465a3a608b9c

SHA1
f1f8c82279f084019e3c69986d85f458d1155e20

SHA256
25a630fb69370aee62a819601a86c17ccee8072bd09683affdcbf931bf38bfab

SHA512
273dfead0954a715d1e8d1145a78c50052da3f332bb10bdea59eeacf4d5556f3ee471dd4f4de610f3090f859897cb8c2c6e4f8968def2cedfd577d4a362c4546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d6cd5567fe90b8d18069632afe55105

SHA1
1bfeff096d1c588a15811b5726ed7761cbb97cde

SHA256
5956c2817c839884ebdb25a885a6f80d8e349d967653a8dea829b5498a7776a8

SHA512
ac702d654aecf09580b0dd985c198ef40a06b357180f1ed946211d6b53e0ca52762e54df243a1e2a5c16a424bf64acf4886600a952d99d7e841996bc9fe710d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2493408b352857aeb3cd5a235aa7fbf1

SHA1
f6687c76b874aa51426cffde551e0cbe2d10f0dc

SHA256
684826ba80d34bd5359095876175031900d8b23b20197d82bf2ff27f4b89c4bc

SHA512
acb80879bb5238ab1aab8833706cb79a6f8a0b8aa70c3b1418816c593b8af83985c0d23dfc6b1277bbb428781cf99b99c635ff37d8e5db2ac9151f03f3aced51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea0011648e6009c189d70de1321dd2d9

SHA1
b838f3b1372c5dc3776c40ffdbbe4a40c989a3c5

SHA256
94bee448b1d9a09276d04fc825ec8cf4db83ac197a52ed422bba3896292e871d

SHA512
d62b071cf2ee616de4f31f953dd8547688db3476d71cb188c66661ff4aeb4ca48333ff6c0b8bd61ebbad91768892ff6e20cb74d03b7cca429f8b3ddde8a4502b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c43aea11c5c4307fa28d893508127454

SHA1
6c08e27e38f4a2a71f46b230f40d9b57227fe664

SHA256
51f5613b3c0a56e1cf45b351ad4d186c199b32fe55c0cb48c713a5ff947634a1

SHA512
1b7a7e24d4de1a02df9ebcee056edf9b5384694d7e886b112eb32deead42faae7d6e202ce2757b3d5eef8c83ee68af40b9c4206b31e1a6472eb0381cd4c5c872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75e022bad8113876cdcf1b237548d7a6

SHA1
82a2badfe341911b8d031e0fbca9df6d3fac65d4

SHA256
c0cf800d573920cab984d62a01470c7c6e4140db65fc2ceeb61b7b0376e6d0d8

SHA512
e29ba2fe41558bd6257345941800c95f17261ea654f59c1b0bd12982164419be83e40288b7395dd433797a0e881d00a984db652596e22956a21ecf49d506f89e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d41ee449dfde20c3994e96f01eeca4

SHA1
57997e4db95f71f815ea32bf78ed2bebe2747b7b

SHA256
04a0c56fdc5ecb97c5f1742111f9954a7a2d6e4bf9f24b26d90de290103aaee9

SHA512
f31bbf16329252d731a313e2869fb5706bc175b0c2d73385b1712ef9e52bffbb9e2d42f77aece0e15ced00b27eae24acf9e846568fb2944743a6ad0fe82e9d19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26a5eb9bffae4d03ad0bffacec4b8a4e

SHA1
e3190833fbeabd44d373ebfd6329f561fa87b98c

SHA256
f791a2897d6b8b9e961ed46059dc51557a886cd533c8474ca06c838de617d354

SHA512
0a66c906716646b9fb02b87eb2e66a5bd90e68cd050a6bc3a1e7064648548d409af74e06809146edd6c162c2c56b8ef60f929a1580badf6a440f123dd4357e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e39852f7d8baef8e4e595c7d421b49d0

SHA1
6491d948ca527888a4b2729dc638fcd65910e1a5

SHA256
af01b00cf4928117b7c7ab12c987d9ceabcb78bbe30fa66e11effd3e4e145613

SHA512
30fcb90427e0966972b8a852aee4f0ef1e783f98ba4f94b24de4c40fecafe749034ed49565e478b48ed81f1435f8f2dc4b01453e8d2194477f7ad5aabe1eca3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dacda889af0d2493541c7fbc738520f9

SHA1
cbe941f2f68803ca9f8c0d95fafed818d2a18e6f

SHA256
35ebfe04fb37d06fdd1853d09c59bb7270601d5ae59852b531a25e0b2749c5fc

SHA512
7b2be22d1154050a41116040ed2c32f36f8ef6a867adf74168b0c2f4b45097d453fa75c92d8f319de09495e3b098a3805d607b1893bb79884228a77e9d119a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
212B

MD5
0e455b8112ae8786e9627e9811940e1f

SHA1
9d99f8778b6b988c02960022d21334a35ebc4f77

SHA256
3f81530db794a212090da9c57b0a7cac971f6ec16376daa56f29d0fa0fddc94e

SHA512
8999122a766385f2b5bd544a783b422629c4b158d9bf93ea553910f28012cbe3bb0fd0ce964c2904af8829a3cb02f82a3726d0a79172890c181a2206241a1ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\4abca1a4-ce55-41ff-8570-ebbc8e9ea087.dmp

Filesize
161KB

MD5
d1f507ce2d4b186cbdcfab4bcf74d0bf

SHA1
8420fefbb5c62697fc25673a2a7d7bb4c553044c

SHA256
22863b6790d22a490221d2167113c4e6ddafcd6cedc07f48d767e2f376e94928

SHA512
95e5092d344766d0d2890f157a0de5ea8c4e4309e03f36fbbfcd7133057f6e81300da40615b99f0b544b7691d5c87db82f09edcf025ff6f7597bafc5b7f3e8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\6a16a4ce-4138-4cd4-8a67-86b0c46fa9ad.dmp

Filesize
161KB

MD5
c7f770ed45c8eb62114f53bad42d912a

SHA1
af3f9226a3f5368329459c0802fc4b54d68246d8

SHA256
7de6ef460f9b2200171785e3af2a0f782df539dd64d7201dd25bb8aa27573bc8

SHA512
22ad9e5742825a7f28a254f98da44f02d0f363819c9d12b10a5cb2869f46592f07d2fa07a8f401274b2ddbf16ecf36932e18bc9a00a4dfc8e390a7ba2cba9d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6440e5b4ea3156744e4a29d42c8a2bd7

SHA1
da7b625fdca100cadf355ded3e112a57f8d25866

SHA256
c06f6986514f9e2a2853949c3809aa06a2d39594470ed4ffc77b5a9552565fb7

SHA512
960de88d405bccc917ad98c1cc04b9a3cb2daddd7a53ab5934e27e3bb2b1638dfa81688239db0910b53af711521a998a788ffabcdcaecf36caa0df2a31582d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3559.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFCB85EDAEE646390A.TMP

Filesize
16KB

MD5
e68181967dae182f6e0336b65fe6f9ba

SHA1
4ae28aeceab51688466cad9b3467c8ff73f75067

SHA256
3e77d5572ddf2eb6547fb2e8876e04b34c953a5cc6abe40e401b9e08d8189b5c

SHA512
7308f6a278c52c4d382835417290d636f0c4d12f79f334be5970bd94553bfb0d3fdb7bae9b2824c7a9b61861df3e7a73a7a3efc42a8e4a2d345ed9a9938c2d40

Download Submit
C:\Windows\ognvtpnytdvt.exe

Filesize
342KB

MD5
1363011ce43fdadbff9360a2e2716731

SHA1
d980ddf282aa7170c38caaa4fe73d05cf04d9fe6

SHA256
5f5b2501b23fd3efceffa161bb51b9721a10f583e85e10a287faa170d847e1cc

SHA512
355c654a7226f6c68367f0ede1f294d84f5f2d8b70757c9c0b20546589971b5534d67b0a99360acca7d5a0251aca0339b55226e859d5d53637a5491533072feb

Download Submit
memory/1944-6395-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-1540-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-8-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-1827-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-5164-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-6392-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1944-5950-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1944-5954-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2652-5951-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2976-9-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2976-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2976-0-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2976-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2976-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download