teslacrypt | 4a015db95a1e6db8123e4b21dfe56e34fabf570261b6d2a0a11c0abb282a3363

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
Size

424KB
MD5

d818966749acd83dc9fa5d73d5a47f2e
SHA1

4c3a30cd2c8c396ff90aa4ebcba63d89a9cfce50
SHA256

4a015db95a1e6db8123e4b21dfe56e34fabf570261b6d2a0a11c0abb282a3363
SHA512

1fde3f7a05b877184a4676db15e6c4ae6efb8847dacb4226887b9f67097996e0533e2eb7b7aab11d3cbe902f8abc7b75ab4981e2b4cd115051c4a89d2d9fc446
SSDEEP

6144:BsPAYJDo2magV+8GUEmGM41DwAHQmjdN1AUL0yogLpWPoXbftChXW3AxfulDGgB:ep808fEmLqDwAJjpA+E+blCJxfS6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+mnjok.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7BEB6AA3F8CB1E10 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7BEB6AA3F8CB1E10 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7BEB6AA3F8CB1E10 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/7BEB6AA3F8CB1E10 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7BEB6AA3F8CB1E10 http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7BEB6AA3F8CB1E10 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7BEB6AA3F8CB1E10 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/7BEB6AA3F8CB1E10

URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7BEB6AA3F8CB1E10

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7BEB6AA3F8CB1E10

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/7BEB6AA3F8CB1E10

http://xlowfznrg4wf7dli.ONION/7BEB6AA3F8CB1E10

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	jlmbxtjxicmi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\brarohisvmxt = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jlmbxtjxicmi.exe\""	jlmbxtjxicmi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_RECoVERY_+mnjok.html	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Common Files\System\ado\_RECoVERY_+mnjok.png	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_RECoVERY_+mnjok.txt	jlmbxtjxicmi.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jlmbxtjxicmi.exe	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
File opened for modification	C:\Windows\jlmbxtjxicmi.exe	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jlmbxtjxicmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a5c3bc048bd974f9a92e4a2029ba007000000000200000000001066000000010000200000002439e989bf337c2dcc1597e85b54ef67183b06e4dbc186af02156e0fc91d434a000000000e8000000002000020000000215db241930f3a5d340a6f8a633193d948130e561824350dd5dbf7d441b1819b90000000998bce10887573bc4d59c0a581c12ea5869106cd39c644d7332a1fbccc51a7c3446ded9a28161d0271bbf93685c7f37989711498f19fc010eda1abac9a8713ac6d1c240f0335bc483d67350be08613b72e68a3344ba1d0b3d8f9370802dab42e32da9e2b7f31be2197de0d83a33e8f08847ba26b1ff32356ff224417973fcb456ce7809d61afc8392cf224c60e9fd7ea40000000bb05106aedb74994f238b27b2bc43fbcd2c5b3d2c3ac28e7bfe6df7d5ccdd01f93584392a05ae8eec4eedfbc8d05291be1efc8749c5e4e48c72cdf99fe84b6ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439839251"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a5c3bc048bd974f9a92e4a2029ba007000000000200000000001066000000010000200000006dfec59e22153cd1ea23ce66eb6b54c2c6920202054f8959cfdb230b35da8a83000000000e8000000002000020000000b862b0a938f3677f22515c55f9e75572112cdb156934eef7bad5eb9c31caa9e42000000040e4dfb369fcf952626ee560051c031df71892809adfa80c20bd8da1eba5fad240000000e36d5d4e0a20f9a04847e593b35ca6ff007676b3a3e55e81912a8708956405237b5a22e0afb30cb5d1bdda12ff3bd45c3990bd508db817c725f63e9347b317eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03cdd1d9349db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49505FC1-B586-11EF-89F5-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1420	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe
2680	jlmbxtjxicmi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	jlmbxtjxicmi.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1760	iexplore.exe
2480	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1760	iexplore.exe
1760	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2480	DllHost.exe
2480	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2680	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2680	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2680	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2680	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2676	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2676	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2676	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2676	2104	d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2836	2680	jlmbxtjxicmi.exe	34
PID 2680 wrote to memory of 2836	2680	jlmbxtjxicmi.exe	34
PID 2680 wrote to memory of 2836	2680	jlmbxtjxicmi.exe	34
PID 2680 wrote to memory of 2836	2680	jlmbxtjxicmi.exe	34
PID 2680 wrote to memory of 1420	2680	jlmbxtjxicmi.exe	41
PID 2680 wrote to memory of 1420	2680	jlmbxtjxicmi.exe	41
PID 2680 wrote to memory of 1420	2680	jlmbxtjxicmi.exe	41
PID 2680 wrote to memory of 1420	2680	jlmbxtjxicmi.exe	41
PID 2680 wrote to memory of 1760	2680	jlmbxtjxicmi.exe	42
PID 2680 wrote to memory of 1760	2680	jlmbxtjxicmi.exe	42
PID 2680 wrote to memory of 1760	2680	jlmbxtjxicmi.exe	42
PID 2680 wrote to memory of 1760	2680	jlmbxtjxicmi.exe	42
PID 1760 wrote to memory of 2232	1760	iexplore.exe	44
PID 1760 wrote to memory of 2232	1760	iexplore.exe	44
PID 1760 wrote to memory of 2232	1760	iexplore.exe	44
PID 1760 wrote to memory of 2232	1760	iexplore.exe	44
PID 2680 wrote to memory of 2144	2680	jlmbxtjxicmi.exe	45
PID 2680 wrote to memory of 2144	2680	jlmbxtjxicmi.exe	45
PID 2680 wrote to memory of 2144	2680	jlmbxtjxicmi.exe	45
PID 2680 wrote to memory of 2144	2680	jlmbxtjxicmi.exe	45
PID 2680 wrote to memory of 552	2680	jlmbxtjxicmi.exe	47
PID 2680 wrote to memory of 552	2680	jlmbxtjxicmi.exe	47
PID 2680 wrote to memory of 552	2680	jlmbxtjxicmi.exe	47
PID 2680 wrote to memory of 552	2680	jlmbxtjxicmi.exe	47

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jlmbxtjxicmi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jlmbxtjxicmi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\jlmbxtjxicmi.exe
  C:\Windows\jlmbxtjxicmi.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2680
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1420
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2232
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JLMBXT~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D81896~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+mnjok.html

Filesize
11KB

MD5
0f7823fce4e78ace414fbfddef0ae388

SHA1
11df591d25f2d2a6acfb0699b74f7ef187f40cb7

SHA256
777102f2828aa9ffeb99cb654517d825dfeff6038fa51540bb25f76589c139d7

SHA512
c454b23d32741a618e7371341ea8bc88d91824ac8ff5fc6c725c46256e074ca8f7e4a9f6f8d29559382db8d72fb366511e7d5372745d9c014de7645a702a2b33

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+mnjok.png

Filesize
64KB

MD5
d944fb5d0aeb230aaab4ef8e1fca9549

SHA1
c31030df9301d9168b73b0b056a3fbf9cfd0754b

SHA256
29518b245ebb552f0ec76193467fe660605c6aac91fbf071b560043fd33678e8

SHA512
21a2a70c98343da039d2005243888edc4363aecedeadab29fe467cefb96ae49dcd5f3c59704447b07c73a7c7d395d9766c20fc54d64c485af3b100217995cd42

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+mnjok.txt

Filesize
1KB

MD5
999fe506a77d32e7fb5758c1c6e12951

SHA1
beeb0fed1478112b23bbe2a65dbb368ac22e3268

SHA256
dba84e588c6fd5c52305bfd43c3682d5dbf8f8e38df845ebfdf186aeaadeb835

SHA512
5bb0d342533a02023eb20a7f73f014dcba6e8e491e5bbf886a7f36d75af9c23aeda334920fab8f9a7ebb2bb46afa63f5537a6893558de6fd45c869485d6406f0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
91e15bb0e1d4fd64bfb1a7a44d9c35f3

SHA1
923966c70b06d04c364f76e0f4794ad1d3dcc4a2

SHA256
500dcccb2e771e727e27d790253c5234182449649eb4feecd56a699739e432d9

SHA512
fa47d6bfe0c0bc37f799970581545327b7dfbf090b5b1ced30be821719f84d67ea3dc9db50784b6ca77f38ddb78f19979ed4c4dd5ff2881b50342843d0c6eb2b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ece76a7e0a2f94ef27a1fb1864965016

SHA1
c892feac08bed891a88f41fcd9ea2c61e11f97ac

SHA256
f97883471ec237df51a3e8fe2947b6a67b08c942f9ae4de01ed60ba096edbf70

SHA512
2933d833f9a18d0d2ba8a4dbe880f7ca60fc1274c876a0f71020ed3453a53d378c46c77471cb9d192763e4e4c99172075f3fa9723e4c0a2a3d0acc9f0e9f6302

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
782279e77103af4eb895d8d76490501b

SHA1
2c1886e56821907ed3c8928eb6f2e4eba7c763b2

SHA256
86ef2e70dad45e548421f8be68bedd6874f2a971c0e8e27a498f75ac0bc4f2c6

SHA512
ca0fdf6d509ddca87b19425b650606eafc86eae413985c1f1058bff26afbfdfe33e3bfcd7c9ad632551e1e9aaa5cc61cbae39d9c28eb0631465e8982693fb873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
984e5e96c95aeb36575c435fcb89ac7e

SHA1
a2a88d100ff10f8fb4d41ed6bb61a9afdb79a9e8

SHA256
82d5569d6de50581f0505c79a13ba6de072fa4cb6f1a9a33105abf87411e78e6

SHA512
d321f5e809c932d047bb6010d79ce7275e4c5ae013a86cd603b9e1d903f3d6d8ce9a1e5629726c59d4c7ea9fc34dd57f3dfb0a48d37ee6db6166285336b63882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5a8a8ae739a43baa7f7446d2b459908

SHA1
8adda7669308aa4d009ab29137d750ead9d972cf

SHA256
5327907671330bfae8e284052a3fa4e3e5868a3575d08ed1d6cc8479ab340eaa

SHA512
3469357f556402ce64479b8d408865f8505854bd52ed9329798bb25137d9bd81416e0a6280d13d090322b67c99f1cb99cba0ed9e3cc1b3fe40403e192cf9aace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99d1f01c2846f1f8f10da902a1893209

SHA1
5bc53435ec5f89ff3125006456302b67739967fe

SHA256
9c11b37c936eafae5fc469bd2fc7a8f6dfd1b3988c6f848fec573e9aa01720d3

SHA512
1d95ab37485d56aeff4417dfcce2d366f52954d077856066ca530fc38b9a4bae28b80294ed947b40582fa807be3fae29244d9f6be610e0b63e7116852804dc1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89ad32ad35d83b708d09231d79a7276e

SHA1
9110b8d0a92b2e646784c04c4b42a9fbfdecbf1a

SHA256
f3cfb853fafc6d8038035c75a8da2c9b0cfeff569ff6b3b99f58ee54f75675af

SHA512
055942fdd7994d3eb5363a6b1a2cf59728b1e252fed6c4c68bf67cabef929de06ccb125772590653da28fdba1566802b265d4fa67775b6bbee1ee37280c3f462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a3643fbf83e50798a2150fb743a8f62

SHA1
6836c51dd4f82759f8ef1d5118d0f9e148e6e54f

SHA256
9d9d899ea584cde07f6b3bf71f25e8c5c2ad5a7660d0c5878e8880ea663e2536

SHA512
cb4daebf473565c74580c8057218551a81819934fc347fd9a6ff5f8485f1a5e054b0f0fcaf4f910dd9c44f2b2be1bd6ab52f1dac0b3c2469fe50f33797a1f21e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318f3dc2ef3d4305b7a179c2cd4279a1

SHA1
992dd81bb026ccccde7e8160d4e4991d5ce4ca63

SHA256
4ec37acb80117601a1f1c732bca1d99417aa2578a45c8041677db85a10a4b55b

SHA512
b45989779fda8b0f22caf57ba6cb35e0104f61ac8c1099174a3146ae633d2a33ffc41a72b15b722d7f28acdda082aeaaaccd793c4697ef26ecaa23fffc68e83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58b7c19ad5bb93700e9fc1909922c64c

SHA1
00e5b44aeb1ffc54b685e6a554f63cb0adcfe74e

SHA256
bbdb862cbd6c3c04469309affd94ac1556a2794eb6980962e2ada1c0d1c5606e

SHA512
922d2e606ba8602fa33ddf530c0bcfe056a960a93caaa9f345cad0950a3caa88f54bf297264ff60181f2b0e4e035fd56aea85d4ded4bb01df427137103bb2f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37945616354a3fa5c843a247fc3233e6

SHA1
bb58e059d16186f2a133cb1fb6940852b3d55047

SHA256
a96734c104c915c30354136e6009b2f27b9c8d5b09bf8132b08565bcceb3a388

SHA512
d3c56d2f8dcf878ec32695585dc47454567ca4e6c81deb0126dcd46016bf2d5b5435da590b005b0ab37bd2baf4826cabda7ba778e0cd0dfff06bd7d27705a735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e31d5f3aacb88b66dac719d1fbdd494

SHA1
f502e079f3f35b7b4b2250e78c5dcb82be3e0371

SHA256
91127fb4d69213bb877d469ad4dc0b59dd32aaacd52e7b54dc27f55fe3c3cf15

SHA512
5b7ff5038881c4f41efcdeacd2ad41baa7fec720c5483e7ed60866ad2320fa0f29b016524af9332a5b74d443132108c0ab25b5952039f61c8f5138225ec2ed1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2f5704419fab9fa2a56e5da1794ebd1

SHA1
017e4df412b905c4a8830995d6357a5a34bb74cc

SHA256
97581d810ee597a0d33f06e6907f3ec2ad20f4cc14b28a090a5f778ec260543a

SHA512
2f855a05ff478f7e1370fde588abf855b368568f87093b8f974827059853af4e0b5bd4296718d17d7591dfeaaceaf61f30d97a6a8524aa2d3fdf1262d8d064db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f8b664f3585f1228a585726128fb790

SHA1
43dfa9d90c3a734e811a710de10f406830be7beb

SHA256
9986cc11de0f05db1c4d4d11b0749f5c368bc11ddfddbd4f273b702a5790070a

SHA512
92481de1b6006d77d068829cd6eac94fca4f829fd673d5007b317c125f26cf37db1b7a34450e0e59fb9c2bc6e1415c479814d83d83bf2162984bec40d71717ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c00fafcba9fa8e8856b1db80fd8b622

SHA1
600498ed3d47cf3b4b572f1292d4c2d79f6b5cfd

SHA256
d112a4cfe69eb9c1eb9bd6081697844fec7c9adcdb91a95536da43cc299d121b

SHA512
3ab6e94cfddf5471f708a9bc4de2bdc354da2a93876289acfaf5a218f8a8fcb667f8d11a4796babb3dcfcb9e588f26e270b8ced0ea66dfc18d7c5da3c912b610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79b34a5cd057ba43e16b80e2db4bc183

SHA1
68113f7ba06904a8c1bcd20d6782f509503df52f

SHA256
2765d5093edd58b295ae8b12c75167afc8d11a45b5873e36ee0fc3fe45d29f22

SHA512
3f64a395ffb4004ef1f75331c2787b5904d1a31d29ad5c78d33c71bba154776d9a07f501e9500f8b1f5a4e5e81afcb6feb5b34cf9b88e0515a04e5df069456cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a98ef357f171a623707a162eb77806

SHA1
4081f57a3e19f35294cfe20901277f4eebde3164

SHA256
3359777390abd6589de985035284e3f351bac8964973fd1bd35b1215cabf8875

SHA512
21e0fad73cd0bea50a32a05ec21088f93815c0fedbe81233a0bb28959000bcb477a025344ab5e03e3c5390bb927e715e8d4225c6f85351124f4a854049e11c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74c401383c04879ee52f81336b3bd6fd

SHA1
419f47aa2026d7119ade19f762d8863e30f91044

SHA256
af1550be10596e1d80c3f1f1525da2fa3eef1d85f71988abf6801881d8829375

SHA512
98a004d21e7fa4a18ddcecc67d61ff53b2a70248484ba6385e6542dcd6b05287e0f71ee2352bb9d22de1a21ea723fdb1925b1224df1b4eda5362afd63940a621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22968d231d74e376c1e042303ec03921

SHA1
594244e88f22c203f3c9e6f8acb44e1011c289f9

SHA256
2b89c83fcf60c0e32e844904ecf10aa67782660a6be58e63f95d776336df9a91

SHA512
2ba64a7f365db4a7df432d05d5e62141c41df9cea185fc1d037a419f1cc6ee8de13a60257e8d4d9f4001183d1969f6b543f267a14880c0eb8cbd4a864a6d9d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1263624be608c2112d009671af57f8ff

SHA1
da9a6fe16a04316151cd8649ac210ee2fa324962

SHA256
469a69610558c2d7ee8d1dd2588a1d792a9b10e9084af7f59ef32b2383b0c26f

SHA512
8e1059b86009e9deaf4b5b307ad2bd373304c3be8c0268421cbec870ba084409828907816c8f36828c77d3466260906ee4106697d997e22e7900fad96006f09d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dfa88b3a573016ce4d317d8f26ad3c0

SHA1
ad6731222a0c1704c36cbfae2f77e7fe4652b532

SHA256
e51c372beb807a1190a80cf58def153cb26156ee056ac8771bf67c16b1499909

SHA512
5249177ebba62566922dee1cff5d952c500552aa967f23a3bc932fe11245066f3ad6825328b52f68b9a822128b26dd54ee4160408a6212045a66035d90938d6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d950a36d36507e2d450e0ba3f6885a5c

SHA1
3bdb85c4462dd03719c285e11f7f8d64b81b4fba

SHA256
139681290f9799baaad13fb39f5efab67fb1445ea1ec463a0d4fa25c14883a55

SHA512
8d5b43822caf7c3965dde8d588777065934342e8cf1dee02c9d5189b4d9ba9693b863714053626cc613231982b4c43596493ce59b198be638cd234ef93f29056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab62CC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar637A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jlmbxtjxicmi.exe

Filesize
424KB

MD5
d818966749acd83dc9fa5d73d5a47f2e

SHA1
4c3a30cd2c8c396ff90aa4ebcba63d89a9cfce50

SHA256
4a015db95a1e6db8123e4b21dfe56e34fabf570261b6d2a0a11c0abb282a3363

SHA512
1fde3f7a05b877184a4676db15e6c4ae6efb8847dacb4226887b9f67097996e0533e2eb7b7aab11d3cbe902f8abc7b75ab4981e2b4cd115051c4a89d2d9fc446

Download Submit
memory/2104-12-0x00000000021B0000-0x0000000002235000-memory.dmp

Filesize
532KB

Download
memory/2104-0-0x00000000021B0000-0x0000000002235000-memory.dmp

Filesize
532KB

Download
memory/2104-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2104-11-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2480-6052-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2680-3434-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2680-1040-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2680-14-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2680-13-0x00000000004B0000-0x0000000000535000-memory.dmp

Filesize
532KB

Download
memory/2680-1043-0x00000000004B0000-0x0000000000535000-memory.dmp

Filesize
532KB

Download
memory/2680-5894-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2680-6051-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

Filesize
8KB

Download
memory/2680-6055-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download