teslacrypt | f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710

Analysis

max time kernel
112s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe
Size

424KB
MD5

91330d07fcc97e162180ba8126bfc7ee
SHA1

97aa11b5eeebf25a068f6fa431543b1547285fa0
SHA256

f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710
SHA512

3b1d559771580365e71b49ea91ebbfc4dced753087b7c70a7a706b16bde4b17dd38f5a2dbe33000df4dfa0a3cdcdebb336e6551ad089bb196efd964eee06522c
SSDEEP

12288:oj6qMoki2//HuarKqen05/QexvmBG3zbblCJxfS6:ojPQ/HdQoq2fOR1

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ovqui.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6A98EC93AC99563 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6A98EC93AC99563 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6A98EC93AC99563 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6A98EC93AC99563 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6A98EC93AC99563 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6A98EC93AC99563 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6A98EC93AC99563 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6A98EC93AC99563

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/6A98EC93AC99563

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/6A98EC93AC99563

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6A98EC93AC99563

http://xlowfznrg4wf7dli.ONION/6A98EC93AC99563

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (428) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2672	cmd.exe

Drops startup file 6 IoCs

Processes:

apmgbehgbfpv.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe

Executes dropped EXE 1 IoCs

Processes:

apmgbehgbfpv.exe

pid	Process
2752	apmgbehgbfpv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

apmgbehgbfpv.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynfvlaaimblq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\apmgbehgbfpv.exe\""	apmgbehgbfpv.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

apmgbehgbfpv.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveAnother.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Internet Explorer\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_RECoVERY_+ovqui.html	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_RECoVERY_+ovqui.png	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_RECoVERY_+ovqui.txt	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js	apmgbehgbfpv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css	apmgbehgbfpv.exe

Drops file in Windows directory 2 IoCs

Processes:

91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\apmgbehgbfpv.exe	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe
File opened for modification	C:\Windows\apmgbehgbfpv.exe	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exeapmgbehgbfpv.execmd.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXEcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apmgbehgbfpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438565342"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C9A3901-A9F0-11EF-AA9E-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80962911fd3ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000039a70586d0b102ec65d9a4cc1abcfb116f5a804d7717fe50acbb8ba0eca7027b000000000e80000000020000200000001ff967745778abe92f6a685d2acd7c74df769b59864a1776a1aa67bf044845439000000085d68834abb7abd1738031b7e8a2fccfab2044657eb048f1c4520c73ef3cda33076eb9ff01e7bc14d486f3300dbcfd96c629b2b3728e23a8278f1dcf3a4f6dca5ffd1120534f7021dade96ba7c4232cabe0943d8dee3b6da97364d0106d18c5049fa2d7632084b798337a1b0fdb5cdbde16f8aadef7d3f749b507d942b91b87947daae180f6d4c2b8276cf986a5a7ad940000000466026a32a4d9b4906cb31f10a6d8ddb3a92823d594f7f26f1617a9c4eb84887e81fef4580df0ca9a783b5e2699666e85f874deaf2bcf9cc85fdede183c99696	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000000366dd19c4d9964cc1c169076e7a4de980577c7fb29db68b41ba5af42ba77d43000000000e8000000002000020000000ccbf3d1bccb397e90ddf094a64748454cce9b348d65e8d18ec7e93e1e28a6f9c200000006d07c04ac493c2a6e4a4f21710e0fc5a5ca4c8e4b3b3fb9f64bbe9c18ad285564000000048c808189528838d553ddaba677fb2346bf9e8b2e4b0aa4c30a66a70d7514c096fb907c5d81b7212a7081a6bd05066889c347911d06b48e8a4caa961d9e4a635	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

apmgbehgbfpv.exe

pid	Process
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe
2752	apmgbehgbfpv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exeapmgbehgbfpv.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe
Token: SeDebugPrivilege	2752	apmgbehgbfpv.exe
Token: SeIncreaseQuotaPrivilege	1804	WMIC.exe
Token: SeSecurityPrivilege	1804	WMIC.exe
Token: SeTakeOwnershipPrivilege	1804	WMIC.exe
Token: SeLoadDriverPrivilege	1804	WMIC.exe
Token: SeSystemProfilePrivilege	1804	WMIC.exe
Token: SeSystemtimePrivilege	1804	WMIC.exe
Token: SeProfSingleProcessPrivilege	1804	WMIC.exe
Token: SeIncBasePriorityPrivilege	1804	WMIC.exe
Token: SeCreatePagefilePrivilege	1804	WMIC.exe
Token: SeBackupPrivilege	1804	WMIC.exe
Token: SeRestorePrivilege	1804	WMIC.exe
Token: SeShutdownPrivilege	1804	WMIC.exe
Token: SeDebugPrivilege	1804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1804	WMIC.exe
Token: SeRemoteShutdownPrivilege	1804	WMIC.exe
Token: SeUndockPrivilege	1804	WMIC.exe
Token: SeManageVolumePrivilege	1804	WMIC.exe
Token: 33	1804	WMIC.exe
Token: 34	1804	WMIC.exe
Token: 35	1804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1804	WMIC.exe
Token: SeSecurityPrivilege	1804	WMIC.exe
Token: SeTakeOwnershipPrivilege	1804	WMIC.exe
Token: SeLoadDriverPrivilege	1804	WMIC.exe
Token: SeSystemProfilePrivilege	1804	WMIC.exe
Token: SeSystemtimePrivilege	1804	WMIC.exe
Token: SeProfSingleProcessPrivilege	1804	WMIC.exe
Token: SeIncBasePriorityPrivilege	1804	WMIC.exe
Token: SeCreatePagefilePrivilege	1804	WMIC.exe
Token: SeBackupPrivilege	1804	WMIC.exe
Token: SeRestorePrivilege	1804	WMIC.exe
Token: SeShutdownPrivilege	1804	WMIC.exe
Token: SeDebugPrivilege	1804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1804	WMIC.exe
Token: SeRemoteShutdownPrivilege	1804	WMIC.exe
Token: SeUndockPrivilege	1804	WMIC.exe
Token: SeManageVolumePrivilege	1804	WMIC.exe
Token: 33	1804	WMIC.exe
Token: 34	1804	WMIC.exe
Token: 35	1804	WMIC.exe
Token: SeBackupPrivilege	1128	vssvc.exe
Token: SeRestorePrivilege	1128	vssvc.exe
Token: SeAuditPrivilege	1128	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid	Process
2008	iexplore.exe
1156	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid	Process
2008	iexplore.exe
2008	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1156	DllHost.exe
1156	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exeapmgbehgbfpv.exeiexplore.exe

description	pid	Process	procid_target
PID 2400 wrote to memory of 2752	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2752	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2752	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2752	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2672	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2672	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2672	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2672	2400	91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe	31
PID 2752 wrote to memory of 1804	2752	apmgbehgbfpv.exe	33
PID 2752 wrote to memory of 1804	2752	apmgbehgbfpv.exe	33
PID 2752 wrote to memory of 1804	2752	apmgbehgbfpv.exe	33
PID 2752 wrote to memory of 1804	2752	apmgbehgbfpv.exe	33
PID 2752 wrote to memory of 580	2752	apmgbehgbfpv.exe	40
PID 2752 wrote to memory of 580	2752	apmgbehgbfpv.exe	40
PID 2752 wrote to memory of 580	2752	apmgbehgbfpv.exe	40
PID 2752 wrote to memory of 580	2752	apmgbehgbfpv.exe	40
PID 2752 wrote to memory of 2008	2752	apmgbehgbfpv.exe	41
PID 2752 wrote to memory of 2008	2752	apmgbehgbfpv.exe	41
PID 2752 wrote to memory of 2008	2752	apmgbehgbfpv.exe	41
PID 2752 wrote to memory of 2008	2752	apmgbehgbfpv.exe	41
PID 2008 wrote to memory of 1736	2008	iexplore.exe	43
PID 2008 wrote to memory of 1736	2008	iexplore.exe	43
PID 2008 wrote to memory of 1736	2008	iexplore.exe	43
PID 2008 wrote to memory of 1736	2008	iexplore.exe	43
PID 2752 wrote to memory of 1616	2752	apmgbehgbfpv.exe	44
PID 2752 wrote to memory of 1616	2752	apmgbehgbfpv.exe	44
PID 2752 wrote to memory of 1616	2752	apmgbehgbfpv.exe	44
PID 2752 wrote to memory of 1616	2752	apmgbehgbfpv.exe	44
PID 2752 wrote to memory of 2572	2752	apmgbehgbfpv.exe	47
PID 2752 wrote to memory of 2572	2752	apmgbehgbfpv.exe	47
PID 2752 wrote to memory of 2572	2752	apmgbehgbfpv.exe	47
PID 2752 wrote to memory of 2572	2752	apmgbehgbfpv.exe	47

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

apmgbehgbfpv.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	apmgbehgbfpv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	apmgbehgbfpv.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91330d07fcc97e162180ba8126bfc7ee_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\apmgbehgbfpv.exe
  C:\Windows\apmgbehgbfpv.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2752
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1736
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\APMGBE~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\91330D~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ovqui.html

Filesize
8KB

MD5
b5a1e1937f436fd2d928e6d7c007eb9a

SHA1
71348b7008cbbeab34f3e1dea63a346e94bef365

SHA256
bb15e304cdd8eeba637fd23731785f0e8b550410a2bedd0a2010a378878ab7aa

SHA512
61192d17763d2e4ec0f15085f67044e360a0c83e414cd375c41da5e95a1b7f2a7bf02e71506c7c0e5efc912b2b34be3c00f976112553a0fffcf20a9bd441a6e2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ovqui.png

Filesize
65KB

MD5
9a9cf569fad20c66f89286eca61a924d

SHA1
541b558c329e3664d1387f132f727186adfdf1b7

SHA256
2c11b9b31e8bd8ff91ae52e32247ea0b05af4ce23e85ec453d559120a7b118db

SHA512
90d8aca1f9f1f462a1aee7d8a70bcff64f7fa7ce7e984b215c318d15ec0b0e742f4acb26faf24af45e5469c4ee3f22a7f6a4c8cfb325897d3194ac498aa17fba

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+ovqui.txt

Filesize
1KB

MD5
2d4903a5a20815df5b43639bc71e5b66

SHA1
09f69fff985b83abc8ebec857c54d0a0d11aa790

SHA256
468d969f7216c8372367e45d001c8daa6f38e83227725628afbf5c40ee8d4f2d

SHA512
64d9799cf263af7298726a86fe1a01ca4042fa75a555cda15e7fc4f3656c67e0e9a90f740f05fd40f78733520cda870bb4de1f6d5e9873961ad41a80b6a83578

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
6c50eb65251a8213f6619a366a1120a6

SHA1
2fbfa62d3a64c4712b84085384b7125fa57b38c0

SHA256
c11a8f2ea17db7de8bf9e297dc15bace31c673ee5082005ca0e6d9709e278a0a

SHA512
fdcddf672bf5403209deba5f6592cdee05b5bec80700fc00f417f2526ba616b9ed1bde420ea19a88aacdac340ab34cf2cf5b846f2c5bdc3f2a5d41bcef2c305b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
262052cbbe2fab5fc199eb6a11034300

SHA1
82100f08c4696ded471389dee31fafea4064d9b2

SHA256
ff11d976418f7869e2dbc4921d66b72840a06af995dbeeb5234348a615e0734f

SHA512
b10842983f834f7ce9f0a94201543d17e21a6bac18b2b17d8bd356205371dbae68b9fd2de9df4662b61358fea67180b842d34aa41d90d7de30f7e5bc4acf46c6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ab1ff4f3dd39ab79c354aa350e0b1eb2

SHA1
f02863970e55d7494551444cb8d954ca2558767f

SHA256
bbff5c47310f28ff8d66c75b59f89066b43122ec055f38aba88b757500c0bb91

SHA512
374528ee3f8dc2f0d05e17b2032dcb017af1e28e4c2e312bc1fbc71aaf6ef5f4c25ef11fdea210b578e4dd4412582102d82eaff8f2a5c062e13562fae01ec15c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34c7664052db894b5e027c3ff432cea1

SHA1
565640ffc8a7ed0f6d18c0d7896f2c524e3511b6

SHA256
13b21365c8fedeb0ae1811e5668c7a0a0e3d5feab1e89a0eb9ea6afdc76b63b9

SHA512
18985c5b05b0f4f3f16c8c4ab925ed7baa25a1abb8480ec2a838512e75b1448a7a46edba2e4d1db0e4eda66433a9afb0c09d6d6cc39f64c6366b24850762f954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6743fea3698b02337455902c1b73cca1

SHA1
306c1b67aa4ae4cdb2f9449f4e07af03d9d87753

SHA256
df574901d76e4c5e5f0396f3c6ade38d5974f1c5f5b7981408116d311ba73161

SHA512
94fbf42cee1c2c094823d0488dca3be3729504f7634be30666fe3671a8acb9e59114d639d162fb2de6dfaa8a9309af8c9515d28178d444d6893f0373d3cdedea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e844b30f182ed69114594c9a2b6aad70

SHA1
eb8d6de975b37f550f4b9a194f797194072c5c24

SHA256
d518321a09fa7a2cc65d79f28aff773591777a918126f2053741ad1a2105fdc6

SHA512
8d51b139569783092ecd4d8483e3f1a95e9cb47abd2b8a8f14fa5b8e5e9ae2a88c8dd23dc12aaf2c6dea607bfe36eb2da61fd7f9b04506e30af3d1ba4ff2c5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6476282a14fb5761c2d1b3fb983cdc8b

SHA1
8e3f7fe960b2a3a34f1d9c6047af8e1f7c50cca1

SHA256
79561cea66f5d3c5cd030b52fa686c764ee095075d6a9aa88c61aedce053ae2a

SHA512
100df80db9f430464283f83a5c5f033e5c3f1e24108fa3c4cabc66ccc94b59b854310abe2453805c653f9567ed1c36f459231f7b3911df70a4808e34d9f5b951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3e76a989b0146864b5e6c81399e1a22

SHA1
3a406208fd411a021c6ea7aa415f239773c8981e

SHA256
d5e9b86362e1a8c85ec5a991ad422c437c7911c14aa2f2d721a45328b28545c3

SHA512
27bc6cb703c340393ada08e9acbd7af4d7d6bce7c179ada1a083538e91febbaa2625e8af9aa193c1023d431dd7ae2b5bd8406cdf68c667d0e4bc3ac01c634731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aee63eac7fe420bcb08ea45c7f4e7dd8

SHA1
9eeb05567208092a91f2b32e9f630b1c3b718a6b

SHA256
9c04397e0dde3460542d84fff4f83712c3cc23af012f0cafbb1d53c1defd1f2b

SHA512
e6094b1006bd09961f5611242db1563824cd4fb38e17586e76d69b6aa0320d33fe207d3a58f77019816438f1d48ef87fce0d3148467fc331651233d989b8ca11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14c481ffb14a8c660a36582ef5fdd410

SHA1
003c4f94386bc864cde406b47896cb6162d17fe5

SHA256
ef6cae9d7ab537f3e741fa1ecbcc35f373355df54acf9428a94fdf02c98f4c93

SHA512
685400f1cc9daee162768a1a04a673c460734d1e44c59ad1660dcfd07140cebd8cc1aa0f879dbc281ceb10dadf7c2ba35fc74ba2624763342ea1dfaa979d899d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2447c18d3c46579bc331d7ce64e4abb0

SHA1
474a0f3528cab0fd3f799f70c735252441fc1fb1

SHA256
b589efc485e00bea202eb97967cd40e284f38dc5b4f64044938a3c39c51fb221

SHA512
b013d3a90f96cfc4ca9879885657aa1dd6cb46240354764948dbc30d5695e93b8b08cc18d25efd19d3c6f81ed5c7dcd6adf57d99080fab38fbee98d94f517b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6152346cffd23ef6c27fa8486bc93f4b

SHA1
cd3e67048e9ccacc55728a10e6f8bb9ab9e601e9

SHA256
baf903340b8dd6386f2315039c6b3b9dfe67a126644b6b6f96a5eed08fa93ca2

SHA512
79dc127d786da738143bf94d16221a87359a02731a3c8101d296161f6777eb5c68809e4abbcf65bb26507e6a4f5557f059c7e8bebe8b3d05b85726ce89b2b8e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bbcb7660fcece957e09c2d69140a713

SHA1
e331e64a5f8568f04435e060460bf7993711c66e

SHA256
8f41c13c6d003742771484cac501a3e7d2057672f8f64fe03f6ad216546edbd0

SHA512
198c1136890e593d1c9732fdfd5ac70db6e818d2f521baf2c083446c3dc847a92e964c705762ff20294e5d42861c7ac48edfd2cae9486d6167206e65b62d2225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdacde5ea40740070b26472648bfadb0

SHA1
4a6962711b7caec3b7d163e4de1551f24967d144

SHA256
c19f179b86cad360706ebfe7bd400903e040cfa9013b18ddf8d8764a6cbe83c3

SHA512
de0c08469313277d78c875f3f2e63911b905e60257d4dcdaa1839ec814a82c6e2f5ef07959f965db2003741b0feb0d12488113ba3a7d95198e239af2a5ec9827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f531d25f423dacc5bfa1e892ffa7f268

SHA1
f4bc12a7393fe5d34770937b6096009b64d7c125

SHA256
ffd434882378b9ff4208d5c586ba4652ea78e5ef4ee7561d58aa274bd07a5916

SHA512
959396d371e7f32a3c729fab104bb4becb626b33ff57a4b80442b086d863fc9b449828088b64c2e853ef5a759c9befdee92da8467e9dca17f88e416413a2d012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c61723434cf3ae25b71ca75f522f2d91

SHA1
6b68df880721edeaa9f44f0f8521986196f374c9

SHA256
03d13751bcb31c93f5c1aa023c94e448e6bacc7911015a41e6c850dac98df5fc

SHA512
763730fb31cc10575d1a768021b62708e3f5407fa53f0049f9c78ea7a79d39401c336a16140ef1829e68233d27a853a763cf4622dfde81609525dad9017e1c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c56b3593dd1c5f2d51a5d086774de938

SHA1
8a4ea03431658afbbe71da0c959e8234a9ed35cb

SHA256
aa17ecbc27cc947d0f8eb7f4f0a75b8722ef1c2fd7d502c1e3499ada11213d8c

SHA512
2545e7f766e59bf569d4262bd67860561edff4be420baf44b09f41b49da95d64bf9908fbcd020ad8e64b3fc989cfe67af0768417ab6c81e32bc7860ab9c9ba38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b64b37dd2118743168c2e44a0e3aa8e9

SHA1
790cde8e9c74a1db2c07675ecdaff74094c4fefc

SHA256
e1b1fe160b391d05810848fb24a42fc09a39ee0a331cf6cae927cef4dc4db5f6

SHA512
0e9f88c32d82edd0fa4fdeacbdff8be2efdf8c4f9e09339abcdb728574fe95588defdca9ce48375673ed6d744f11e481b023c2e75de7610ea880f11ab12c4d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a59cd5268774230ba81cd4f3e6dd6b5

SHA1
339d44573ce08ec1ffbdbfd5eeadba3a74d18551

SHA256
32b6609473ab7403911d2d7e805bdeabccab22d432c1f7ff40f05f11612cac4d

SHA512
f6507cd3ea3c204f344114c0b9b91a0863a255bd6148c400fd278b2ad53010e95b3f1f0d5166330ce8c749322111c541bfeee826b0d3253924f9b5edbf970f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81d044d0ca624d7a07d41ba4492e8229

SHA1
d76fbd3c05c1db4e0c0bacb0a73082d94974ffd8

SHA256
f9152cf0155811dd9f114698cb3122166010074fcff8657375564085a951d481

SHA512
7ced51a67e426ed35c53c85a2abd9edab9c0749ce67f390d888c210d8ba147819fed7d4b998f1ddd039e5b4476a5a241799ab6a5559beae73736315f56c33fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a1d2ff219adeed9e175804bdcf2e845

SHA1
0d101e7fae32d3fa7c4a60aa16d75ed90576efea

SHA256
83d4d173e3e16e8f2c318406ff0340ce02cf0d04d7d3408c0bb9e9aa3d167680

SHA512
28278d620d0de3d3b47feec45dfd94f7e19f6f30479109623695ecdc92fb798505b8a3e8411731c139b201efd0368504554821aabe0dee88772ee353c4fccd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bcbce6b2543fc4c6b7180b0876157c9

SHA1
1fd2c96c99069cc0259beb18de0aa117321a0f3a

SHA256
8822e1f3b29f6c3cd2773b3d6b51a507aa81ad5c7d34d1c55167031f8a1d6068

SHA512
ea401a8393e50d0ab1bdbe8524e56d769ab7d6b54cb85d61e200708e2928f3bd5551cc441556b901084665a84d42f757972da2df144ca044e8253365f0f39d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA9C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\apmgbehgbfpv.exe

Filesize
424KB

MD5
91330d07fcc97e162180ba8126bfc7ee

SHA1
97aa11b5eeebf25a068f6fa431543b1547285fa0

SHA256
f8ca5b6292d40161f56b244b642279e216cbb5aa55fec58c40ec8113b01db710

SHA512
3b1d559771580365e71b49ea91ebbfc4dced753087b7c70a7a706b16bde4b17dd38f5a2dbe33000df4dfa0a3cdcdebb336e6551ad089bb196efd964eee06522c

Download Submit
memory/1156-6085-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2400-12-0x00000000020C0000-0x0000000002144000-memory.dmp

Filesize
528KB

Download
memory/2400-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2400-0-0x00000000020C0000-0x0000000002144000-memory.dmp

Filesize
528KB

Download
memory/2400-11-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-5131-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-13-0x0000000002100000-0x0000000002184000-memory.dmp

Filesize
528KB

Download
memory/2752-6246-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-14-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-1856-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-1857-0x0000000002100000-0x0000000002184000-memory.dmp

Filesize
528KB

Download
memory/2752-6088-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-6084-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download