teslacrypt | 3fd9b1adcb7a64a0ef8d47423bcf984a02b8a7b96fb3467a09d278385a1080e3

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe
Size

329KB
MD5

4307f050fdd98a39e1c38dc1d56abb4a
SHA1

ae3489b94b4a396c82e966de39e49974e84d432c
SHA256

3fd9b1adcb7a64a0ef8d47423bcf984a02b8a7b96fb3467a09d278385a1080e3
SHA512

9a55a3109f4fba4270f1c13ba37cf7d8a7114a9bd93c11c3b3f59c02d544c708e3ff55f804497d6cb416dc4fc792f21d18901e0cc17f9369736d805d73fc648b
SSDEEP

6144:3Kzdgl/ZWKOtAObo7zoooocIuFp1rgvW+TrGlbiRenD+uwELn6eVJTOF:ognWvtFoQvmvW8KlshVAG

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D384DCB7A63AE542 2. http://kkd47eh4hdjshb5t.angortra.at/D384DCB7A63AE542 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/D384DCB7A63AE542 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/D384DCB7A63AE542 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D384DCB7A63AE542 http://kkd47eh4hdjshb5t.angortra.at/D384DCB7A63AE542 http://ytrest84y5i456hghadefdsd.pontogrot.com/D384DCB7A63AE542 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/D384DCB7A63AE542

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/D384DCB7A63AE542

http://kkd47eh4hdjshb5t.angortra.at/D384DCB7A63AE542

http://ytrest84y5i456hghadefdsd.pontogrot.com/D384DCB7A63AE542

http://xlowfznrg4wf7dli.ONION/D384DCB7A63AE542

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2056 cmd.exe

pid	process
2056	cmd.exe

Drops startup file 6 IoCs

Processes:

kvxgcmkcqmsk.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ohmmo.png	kvxgcmkcqmsk.exe

Executes dropped EXE 1 IoCs

Processes:

kvxgcmkcqmsk.exe

pid process

1724 kvxgcmkcqmsk.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kvxgcmkcqmsk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ijkdctmgbolo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kvxgcmkcqmsk.exe\""	kvxgcmkcqmsk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

kvxgcmkcqmsk.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Defender\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\Recovery+ohmmo.html	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\Recovery+ohmmo.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe
File opened for modification	C:\Program Files\Windows NT\Recovery+ohmmo.txt	kvxgcmkcqmsk.exe

Drops file in Windows directory 2 IoCs

Processes:

4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\kvxgcmkcqmsk.exe	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe
File opened for modification	C:\Windows\kvxgcmkcqmsk.exe	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exekvxgcmkcqmsk.exeNOTEPAD.EXEIEXPLORE.EXEDllHost.execmd.exe4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvxgcmkcqmsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000001f843e513e7b08e9ef246ed98510756fcbb5b5a85b1afa7b9076cd24abfa607e000000000e80000000020000200000002790acae0c39ac15531ee6215a983c1f47df0546d5bc24e1db8cdcc72123c61c9000000014c40bd6f2646ecd60d129fc16d65baf07244744bdba823d48e812ac67e0583bc4a8dd00e4b30cd71ad1bc19e6fbeb25cc994f2a5eedd1c78d5fd16b52ae999ccff05dec8f58eb0a7cbbf503032627a6b61c4d92a2e5240a42693b81ffb0cb2c8ada606fe893686f96a2fd43cd849876b1a609f807112a112142b9877117c881fcdc650bb64264f80308f03cc83db14740000000f8f33dcd8df7f4afabddb494b4b4a4f57936a553559159bb2bbe614b4d7e870cf0479b86b101d8fecf445765105c84ea22dda8de9e1bd6d97bb1c12953cd8e47	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000d1b1860ec9ed2d19c8f7dca1f05fe7273b3f0b7fe1c1629046b291aebaca3391000000000e8000000002000020000000a7b79dc9fdb41d900c35b82fa24b0738a382a39ed23e3c0a783fb3705c5a261d2000000075261bd4b147599639bd6488f4ff849abc520129b05d8a453bd29f4b4f0123644000000013c7d224b9489028095aa97f0489cc118f8e4c6e9119d1f62acb6f919472ec32fa8989e37abbcbf2e234103839cf62792b2e53f50d7f258062f1ae9f74fcb325	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b710e8531edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13249B61-8A47-11EF-9358-7ACF20914AD0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

kvxgcmkcqmsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	kvxgcmkcqmsk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	kvxgcmkcqmsk.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2328 NOTEPAD.EXE

pid	process
2328	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kvxgcmkcqmsk.exe

pid	process
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe
1724	kvxgcmkcqmsk.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exekvxgcmkcqmsk.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe
Token: SeDebugPrivilege	1724	kvxgcmkcqmsk.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1284 iexplore.exe
1740 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

1284 iexplore.exe
1284 iexplore.exe
2356 IEXPLORE.EXE
2356 IEXPLORE.EXE
1740 DllHost.exe
1740 DllHost.exe

pid	process
1284	iexplore.exe
1740	DllHost.exe

pid	process
1284	iexplore.exe
1284	iexplore.exe
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
1740	DllHost.exe
1740	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exekvxgcmkcqmsk.exeiexplore.exe

description	pid	process	target process
PID 1728 wrote to memory of 1724	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	kvxgcmkcqmsk.exe
PID 1728 wrote to memory of 1724	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	kvxgcmkcqmsk.exe
PID 1728 wrote to memory of 1724	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	kvxgcmkcqmsk.exe
PID 1728 wrote to memory of 1724	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	kvxgcmkcqmsk.exe
PID 1728 wrote to memory of 2056	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 2056	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 2056	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	cmd.exe
PID 1728 wrote to memory of 2056	1728	4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe	cmd.exe
PID 1724 wrote to memory of 2800	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 2800	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 2800	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 2800	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 2328	1724	kvxgcmkcqmsk.exe	NOTEPAD.EXE
PID 1724 wrote to memory of 2328	1724	kvxgcmkcqmsk.exe	NOTEPAD.EXE
PID 1724 wrote to memory of 2328	1724	kvxgcmkcqmsk.exe	NOTEPAD.EXE
PID 1724 wrote to memory of 2328	1724	kvxgcmkcqmsk.exe	NOTEPAD.EXE
PID 1724 wrote to memory of 1284	1724	kvxgcmkcqmsk.exe	iexplore.exe
PID 1724 wrote to memory of 1284	1724	kvxgcmkcqmsk.exe	iexplore.exe
PID 1724 wrote to memory of 1284	1724	kvxgcmkcqmsk.exe	iexplore.exe
PID 1724 wrote to memory of 1284	1724	kvxgcmkcqmsk.exe	iexplore.exe
PID 1284 wrote to memory of 2356	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 2356	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 2356	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 2356	1284	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1968	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 1968	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 1968	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 1968	1724	kvxgcmkcqmsk.exe	WMIC.exe
PID 1724 wrote to memory of 264	1724	kvxgcmkcqmsk.exe	cmd.exe
PID 1724 wrote to memory of 264	1724	kvxgcmkcqmsk.exe	cmd.exe
PID 1724 wrote to memory of 264	1724	kvxgcmkcqmsk.exe	cmd.exe
PID 1724 wrote to memory of 264	1724	kvxgcmkcqmsk.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

kvxgcmkcqmsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	kvxgcmkcqmsk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	kvxgcmkcqmsk.exe

C:\Users\Admin\AppData\Local\Temp\4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4307f050fdd98a39e1c38dc1d56abb4a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\kvxgcmkcqmsk.exe
C:\Windows\kvxgcmkcqmsk.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KVXGCM~1.EXE
3⤵
- System Location Discovery: System Language Discovery
PID:264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4307F0~1.EXE
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.html

Filesize
9KB

MD5
7007cbad50edf926a395898f92031e76

SHA1
034fc14fca9fa3a1ecb952c504f3f9fb09c56d20

SHA256
95283f89292926e6a102bc47bf864e122da1352a572d28cee476831fdbfc6815

SHA512
82fd1645c18bf28a369e7469b1105f130c654b6b0b78258e255a0c63deb8b2dbf03647872ae9d9088e9239515b6140438236d7295f3aebf6aed5599b01746a70

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.png

Filesize
63KB

MD5
4ee29113a85772fb3048ff07f0b323ed

SHA1
7aab193c2448a7c2ba98668011e01371b972cdec

SHA256
fb2314b35d4bf3bc6e6e1b2158edbe0e8f99e0238a31938cb4b234ff7b0e0de5

SHA512
57dbf3bd89ea8648e8e1a3f740b56c2184027259acaf3bcbf71948e3c548d24a9d39fc1705d532a3cc4a5d6f9336a383ea23afd0dacd4f7f785d582461bfd6a9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.txt

Filesize
1KB

MD5
ccc240bf5c994d93c73b8b8e5a28418b

SHA1
160d231f418a21800bbc15c5afe0503e4988374c

SHA256
f82290e4a805f53fc3b8ec1727ecabe877764908bf8bd4cc6194035b09106ff0

SHA512
a557640831791817805a9d266a3ffe20e48db15d7889c82aa290648ed8024f0ee7415e279d84d9e855037621cdd741f87cfd73d82f4e99aadb5b2086387ca14f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
130754135d4a287661c7fe5d2acdccbc

SHA1
bac9e5a25cd3d0b65cd3bd4966672f2b2725040d

SHA256
18dc2ca75b4abed5895cdc14b74420cdc99defb080d9fccdcd324acc1598bfcd

SHA512
3c622f8623ea8005a6276702da7f2d07dc02dd335b12c59f7c12bcdfd38ded83afeaf4112d6596b5de01bb4a726c5cb792ee8c4dbcf9ba05cb2720558d37223e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ca338495be7aceb4c66ed2cf7f175d22

SHA1
5ce9589abb3694aeeeb63dcb802b4be7f7aafb0e

SHA256
006954e3eafe9afa09005da691893c4e0f4e315bb3cf4f24bc7c2013cf4bcfd0

SHA512
f0caadc42a93ddee1bbbcee68ea455a183b96db48b83ad9d575cf64dd17aceb2befe35a765d87dc4a21c3064ea34a0d60d4f1a45749ce1882ae31e95764976a7

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
e8f91f33c212a9a6aeeb92df92c0aea5

SHA1
3c7495c14414357e79530c3b83f669aba382c25d

SHA256
6b394a831fc612e14b76e72d20c99c4d10c3b240704bf13b02334626686bdf7c

SHA512
27de794f11423a9987cedfb87bcd4021bbd22b654170b1226e4a306999df664a7b3970afc840867845f1d71c83a2578a7ae93944d882bc33f2f71230a07ccfb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5339628fe95652d7056aaea0997e2880

SHA1
651a7c18dd4302f52824ac3ef391fd5e8af2e4c4

SHA256
3714bc24a31a2a1d35a0b31c4499854ce13e84b053b90fcc6da64c4ba0f5dc33

SHA512
138b2a3a394527a71768ce3ad777341d2c369e030e8558b922211bae68d0d4a98b320663da50409893ae67090221847ea61c3a2f2a8fbf7f9aabac122ed7dab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf673908036c1818dfe566f98e460cf9

SHA1
a2ae2ba31294232e278efd92093a721b1550abeb

SHA256
d7475a02027c848ee647cb5b015d14425ea83e67655fbc97c4a11f1abd51701c

SHA512
bbc1f949a4a5931238333a01ff0f5aca9f02dd6df9ec4fa4e6e932d3088eda62c8ff091f0a5f7b838fb8f26755602ae0a8b12283f7d423be4468c9f68aa53b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a72dfdee788bffb8c41e00590ff24ce

SHA1
381f99a3ebaa98fdea3a82dc741e9d1b486292d3

SHA256
e967d4dfd76041d937e6ea6ec5d25a582ed03fd4c3511556e9d16a684e4f507c

SHA512
176b7eb51df3da5c313a052a7a71db08dc3e4450d7b26e35079cf0ce88786ab2ec1679a9bb610c9f7834f6ceac1e5d1ace5c88168e945fbc93e6319c6cee487c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d41a00a94535cb0d0af7b9816ed0fd0

SHA1
c3b11eb98cd115ca62ca51e143489855aa9d4668

SHA256
aee5953e9f562a06b165b8e111770bebecc3a6a4c756e5d48a9c359745dc25c3

SHA512
43720bc4c0db2d576be5b691a074676f1d56613c559f6b549644c16276d8a360c51df292e859f0002207a40ba10f5c3628c218ed18071fca881eb6276bde3b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aec8152e7df523c03378aceea4272fe2

SHA1
800b831d735052505480a652a421ad66e35cc902

SHA256
69adb33226977ef4b709764164e70733d8403dfcee163299d897ebde997a02f7

SHA512
1e2f52669522e091dbdb708dae885448ec52b477814452cf5d17d0e88abbb367a89ee6964f23e86afb23ae7be8a089ade85f2207440f208fedda2261c5a9f306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0babbc3dba9ae322e806c64cbb43f9e1

SHA1
37d1460ba9970232a7e8534b5a31c00a83321468

SHA256
080e710cb0bc67c2769168cc44e0b95f9b28da8e17b2baaee3205ba0c39a4c74

SHA512
e94f01b27bc1665c30a43f09e4efa8125d40488d8adcb13f0c17f8d9c38c01767a311adfd0a9ea46850ccf75ca28c7d583b2ae06e90fecac42bf1fbf17789fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4a6f1d40fdc726bc349b0a9137bd47f

SHA1
c9b9b4e5df414629cbc52faa2787b4ea402b1cd4

SHA256
66cbdd334008fba85297aaa83405514dda1352f7bf9c6092b9d5bbc57dfc4871

SHA512
de28e65c827194a4117cdb45af3bc1823d9cf86322cbe0f41a230931344ec0777875a81e80ab15ed95b871ae05a534b883c635fc2906b0c8d60d575b2f0c5dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1388f803e1befaf26ac2bebecd061ca

SHA1
4f158993ecb3fd11412031427d4553c4b447cf9e

SHA256
8343c39d1bf8d7a580f279c62fb125ae4f4d74c2a78207ef5e4d9d246484fc50

SHA512
1067194702422a02b1c7dbf78325e6df22cb6eb921cdc446ca52ce9a1da42011e89218eaa42c72601bd81f66e17005fbf8a9e481f2717fcd12d1f507f05d0944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7046067d1a5a5d013a27a0390c049e0

SHA1
9a9c27a53a175044ae056fecda3d52cd34b0b769

SHA256
c3f7ce142b94ebb26dc9d0d93f69aecddf8990ca17b2b5935846a94a38c6e509

SHA512
3edef61a6e2823d7d0ac7fb43c363598deb75778a7f27a99292959ceec899f1385841fb3d79f7ca38f941dba4a704eb38a4a25f7577bdc8dfd0ca6e9c222bb79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dc98ae5208011b6f3f45ffbeceaf110

SHA1
98f5e8c7494a4799ad08ef09a0e3a18dcf94bc86

SHA256
998add5383f19003df0c61f3881b520a692788b11be451b3dc1a3cce6dbaa235

SHA512
cb5b932a1e92fbda84c6f24d0abb933a66fb11169c6bf3336b201816193dcd4c1d3d08e1d18e4cda3d2a93f5d5c30db8ee670d0a27ff9e90c927001b917c1f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7091.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7092.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\kvxgcmkcqmsk.exe

Filesize
329KB

MD5
4307f050fdd98a39e1c38dc1d56abb4a

SHA1
ae3489b94b4a396c82e966de39e49974e84d432c

SHA256
3fd9b1adcb7a64a0ef8d47423bcf984a02b8a7b96fb3467a09d278385a1080e3

SHA512
9a55a3109f4fba4270f1c13ba37cf7d8a7114a9bd93c11c3b3f59c02d544c708e3ff55f804497d6cb416dc4fc792f21d18901e0cc17f9369736d805d73fc648b

Download Submit
memory/1724-3755-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-5542-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-5889-0x0000000001DD0000-0x0000000001DD2000-memory.dmp

Filesize
8KB

Download
memory/1724-4657-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-5893-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-2680-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-1787-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-10-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-1018-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-728-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-6034-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1724-460-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1728-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1728-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1728-0-0x0000000001CC0000-0x0000000001CEE000-memory.dmp

Filesize
184KB

Download
memory/1728-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1728-8-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1740-5890-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download