teslacrypt | 811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Size

376KB
MD5

de01a09f896441e9533913bb82278391
SHA1

d65824cc0c5b29864c7cac6b10f41fe516c0dd31
SHA256

811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256
SHA512

c8b0f54dc698a39e438ba7105d08632a05396ded5b2d2bb82e35d869e5595f9827d6246eb274657333411b80a9936cf291fd7e644f5b58a5450bdd228732b053
SSDEEP

6144:te3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:tY5hMfqwTsTKcmTV5kINEx+d

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+crfav.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F416F755E5B53F9 2. http://kkd47eh4hdjshb5t.angortra.at/2F416F755E5B53F9 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/2F416F755E5B53F9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/2F416F755E5B53F9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F416F755E5B53F9 http://kkd47eh4hdjshb5t.angortra.at/2F416F755E5B53F9 http://ytrest84y5i456hghadefdsd.pontogrot.com/2F416F755E5B53F9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/2F416F755E5B53F9

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F416F755E5B53F9

http://kkd47eh4hdjshb5t.angortra.at/2F416F755E5B53F9

http://ytrest84y5i456hghadefdsd.pontogrot.com/2F416F755E5B53F9

http://xlowfznrg4wf7dli.ONION/2F416F755E5B53F9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (391) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+crfav.html	pafyndrdyeop.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	pafyndrdyeop.exe
1248	pafyndrdyeop.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aolnfwlwfbli = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pafyndrdyeop.exe\""	pafyndrdyeop.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2728 set thread context of 1248	2728	pafyndrdyeop.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\Recovery+crfav.html	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\Recovery+crfav.txt	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\Recovery+crfav.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	pafyndrdyeop.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\Recovery+crfav.png	pafyndrdyeop.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\pafyndrdyeop.exe	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
File opened for modification	C:\Windows\pafyndrdyeop.exe	de01a09f896441e9533913bb82278391_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pafyndrdyeop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pafyndrdyeop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de01a09f896441e9533913bb82278391_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007edced73f4227045b8a73b68fade581b0000000002000000000010660000000100002000000003c773d0cf15bf20e7792bb1c161a3b6ecfdd90a516ae5804509ac23cc8a9ea5000000000e80000000020000200000007cd8202bcc0ea35949269003cd38fc35392b802c7c06dbf3cd8216f580148665200000000c449d8180308173d45a3adac87da4aaf21635a3412c00405377add55a4f6bf240000000ad51d6a974094169e072541d473d4d44c38fc691df07b2086b70c8494669caca25df288cd5de41ca03a0c70f8299a77f635688c65611bae5ac2586215cab13ee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007edced73f4227045b8a73b68fade581b00000000020000000000106600000001000020000000cd180dd3ca7f3d803ce69e6c0e9cad2e50893e9a41943a64514b7e50991a1f34000000000e80000000020000200000001ef63f2c465ccf5c0ee0477aa1ef8af8028a8f81d69a1af5766b649723a64dc790000000b15f3e84ca3c2a1491e361311046811d553dc4a3e393094553ee5a2f31f8535201023b71e3066342de2330932ace484b810b712930171d3ca9790f99a555d0685ffed80e4610aa41cf81c75f81d5c2b1474b12fb0fe5890037ec93f13730aaaabc2427ab2689cfa6ac148ab9bb037e3961243367b0c0fdefd388c10b9cc57b8eeb416a5a0fe494db9f48b2f95171160c400000001d03b03cb826d3f774323fdbcc381c34db633b6e6ebda1d8b51c4e08f82b20316e8bf36dbcc85d90870efb69d4ad673dd147616cf4539495450b4c6fb64e8b55	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B60B7781-B720-11EF-A205-6AA0EDE5A32F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a073988a2d4bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2080	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe
1248	pafyndrdyeop.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe
Token: SeDebugPrivilege	1248	pafyndrdyeop.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2384	iexplore.exe
2052	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2384	iexplore.exe
2384	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2052	DllHost.exe
2052	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2916	2972	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2728	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2728	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2728	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2728	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	32
PID 2916 wrote to memory of 2748	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2748	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2748	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2748	2916	de01a09f896441e9533913bb82278391_JaffaCakes118.exe	33
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 2728 wrote to memory of 1248	2728	pafyndrdyeop.exe	35
PID 1248 wrote to memory of 2508	1248	pafyndrdyeop.exe	36
PID 1248 wrote to memory of 2508	1248	pafyndrdyeop.exe	36
PID 1248 wrote to memory of 2508	1248	pafyndrdyeop.exe	36
PID 1248 wrote to memory of 2508	1248	pafyndrdyeop.exe	36
PID 1248 wrote to memory of 2080	1248	pafyndrdyeop.exe	39
PID 1248 wrote to memory of 2080	1248	pafyndrdyeop.exe	39
PID 1248 wrote to memory of 2080	1248	pafyndrdyeop.exe	39
PID 1248 wrote to memory of 2080	1248	pafyndrdyeop.exe	39
PID 1248 wrote to memory of 2384	1248	pafyndrdyeop.exe	40
PID 1248 wrote to memory of 2384	1248	pafyndrdyeop.exe	40
PID 1248 wrote to memory of 2384	1248	pafyndrdyeop.exe	40
PID 1248 wrote to memory of 2384	1248	pafyndrdyeop.exe	40
PID 2384 wrote to memory of 2876	2384	iexplore.exe	42
PID 2384 wrote to memory of 2876	2384	iexplore.exe	42
PID 2384 wrote to memory of 2876	2384	iexplore.exe	42
PID 2384 wrote to memory of 2876	2384	iexplore.exe	42
PID 1248 wrote to memory of 2940	1248	pafyndrdyeop.exe	43
PID 1248 wrote to memory of 2940	1248	pafyndrdyeop.exe	43
PID 1248 wrote to memory of 2940	1248	pafyndrdyeop.exe	43
PID 1248 wrote to memory of 2940	1248	pafyndrdyeop.exe	43
PID 1248 wrote to memory of 1792	1248	pafyndrdyeop.exe	45
PID 1248 wrote to memory of 1792	1248	pafyndrdyeop.exe	45
PID 1248 wrote to memory of 1792	1248	pafyndrdyeop.exe	45
PID 1248 wrote to memory of 1792	1248	pafyndrdyeop.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pafyndrdyeop.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pafyndrdyeop.exe

C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de01a09f896441e9533913bb82278391_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\pafyndrdyeop.exe
    C:\Windows\pafyndrdyeop.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\pafyndrdyeop.exe
      C:\Windows\pafyndrdyeop.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1248
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2080
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2876
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PAFYND~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DE01A0~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+crfav.html

Filesize
7KB

MD5
c743ca00420717a1ecb9918fd0116e03

SHA1
a364f87ac838c76c727cd5228eb903b68f5f40b7

SHA256
131bab8151cab0a8a32b19279a4155542440ee46208b78b0231fd0818b787e89

SHA512
3b2002a4764216cb85c42b910a321cc8868f5c35f2ae51f091448a8cde7b46e4be42acadc5c8edfd1968ab2dde5561032051c0cd767d57fd86129cd8b9ff2adb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+crfav.png

Filesize
62KB

MD5
2aed16fa40e2f5fea0b5d2beaae12ba7

SHA1
c04c0720d8876c041fb5a43054371d4bd98f57f0

SHA256
d84e41cb9f549363546f47bac3634fa0bcaba7d51614a3500cbb1ee66e38e743

SHA512
0e1c02977d3fbafbc57f81beca2e49330e84ae895749ab6a08656fdceb49075dec5ff51974c4596c43c824496f935d995a2da537d78285043d8db567ee57bc32

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+crfav.txt

Filesize
1KB

MD5
bd84dd8c0987cd30a8288da5ec8bd48e

SHA1
bee95cd6ec00b2f1f222ed9474aaf13b8eb5371c

SHA256
8b793343ceeee394623267d1a50e0e82bf3e0c1e84a3bfb2fdb93e412605637e

SHA512
59db845315a41a0107102ef3849b7a6e7950fd67dcc7414dd972b2d169f14f7f181a0174512cf817d72b7e624955f221abf74e71a828caed8af7767d14585faa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
d0b2d2e3e3ed2624430aaf52b335cd26

SHA1
08cbaa51eeeb0a9c825bcc2fc4e5810c145ef144

SHA256
27c0920436dc1ab6b1a2b8aad5db04844e678f0bc9b7b70735116be24a072130

SHA512
37942a59898029527f57c0ace148bb347e1d56d72abc619363f7c8f3bfd5ad698cd705d1713a585ec98f95893bb2c2c972f69ad9554345c903c5b5e56ff6e44a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
6e0645bf63300e8180fd1fa1a8bcdbd4

SHA1
424b40f6e79030613c80f771108f2c0e3efac87e

SHA256
59619d36d3ee65e9d9f1497f63a26d087c48566780c97015e6a160be26b091eb

SHA512
62664013ea1c4adca3e1cee14dbfb0240fab7c1b0180d9a17d73a4b954627189cee5948619a86d413ce6274164c270e273da7abb34ef24eb2d2f10a967e88121

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
78fdf7d67115be85deac213e5313ed6c

SHA1
5550a58affc529814ce186486fac23d40a7bcb31

SHA256
ce9803832f89468a6707f14f4c84d933b3b678f9840cebe5d807ed0ac83fac0d

SHA512
82c63e9a525a12178458b4cefcf44a619399551542eb4fd480f36973f0d18e27ce35b8fd05b2e3807353a165909da5eee7534da4a69ca97aca0343610f7e1078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11e6b45d0f13f0f1b750cfdf0dc6630c

SHA1
2a73ce7dad879770f54733f7a6e685ac3602875c

SHA256
7c75b256e1a06d8741bd2465706b49843c9e57696df6909754b7bd52114a0a89

SHA512
d63e3972ae4b9d9b761c247e166bfb0c6944835fabe602f3176e4b56d2b548181bbcb47588e39b42f7890900c1d7501b7ee1b8dee0829dd41d963ed765f69a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31266dd9086794748fe9bca7c9debc59

SHA1
13e2a590a02da960b6741c5259e0bbe4c8f8474d

SHA256
d4eafa310f5a2ba4cd47236f3f8409d63c02e25eda094f98ce0eeeaea38fcee6

SHA512
5aea2980b77f0ddb291d0004597b0290f7dd85a8a075e3e8908690f9fa6bcb05bf03847f5f2abe63f38cbdc99290ccfcda87e47d734e93ec9276281befcb6189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0ae31944437d03f30cba0014126633

SHA1
65c7d90cce8eb871dc6d7dbc52edd1e3f04f3918

SHA256
5100d7874da3280be8fa2870f0b93e326cd40532fcdebeb5c888e3517d336f45

SHA512
5df1e933981eae1a572ed0a781d37a26a5a6647caa8e26012d5a97b52230d51eb64b15ab4702cfb4f345df6524f74715ecd96eb23c5b67849d531974de1828aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9cb74abe72d6d91ebfa059319291a7d

SHA1
5d761f171efe5ba1c43171e74d5a995095bb113d

SHA256
555e19b04180b08d7dc6adf78a45ba22a5465fb5f14b87cf17122a4563e33c83

SHA512
6ef3afcabd1c4ab7a6160d893d6b0781e03a6cf900f34f444d6f80b2125fbbfaf27a2409ae31f92f8e9cc5c7b1e8cc8291389d8b8bb62c96a491a07294e039b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af26058b5f3f77d9fa14e5356258f569

SHA1
3c3da689fdbb6d46b253e44001a64cd4ccb978aa

SHA256
621fe8bf758b242450be98d41b2e7af4ddeca8902e717dd02d8e04dc682e56a0

SHA512
11dadbdff7936c49ae618e00aefa12bdcaf1efac3bb6afac9c4f32cfc34a0176152953c9d9cec0dfd3fdf1ec1e1bec6ff7cfc7ead4b8f64a5efa4ab08930c3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63b4b66b625e48125fe86de52b09e1d5

SHA1
2c4416887450c892d1c6f42f29a5c12ac49a1474

SHA256
6ff8573d7f25569513fa820df65ee1fca3c2ab82b6251daf0d2f2035007d56cc

SHA512
6cfcc304b6e2bb9021163ec013e201e935306f4579ed3a4d47954c4f0873ee745363a11c558af37e709634913d53c94874bf3068938d5e04c82b3f70503a712e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39925cbceb3cdaf3e9bc76c2989acda0

SHA1
31f118abd1ddcbba06b07561623e1dcadc2608ce

SHA256
1d44d56355c31b585e3e9936ec19eb3caf2266e5454d508de32d6a8da2138505

SHA512
f07cab2c49de8a65d0eb446544f1b88f0544a270592add8f76cd95b0a12baf766cbe5c402a8589fa209f557798f8300ac40d32449913e6f669abfd60e2dc8424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71baed45752dcdd08be242e2132d0e43

SHA1
e41db0668c5085723f45615c1a52a7044cd5c86e

SHA256
9c474dfdca890fcf15967e0643bbbe9435aa9f5aea9fcb948a9d7b7598d6fe12

SHA512
e49dc62d56426c86ae6d0e6ccb01dd2c6cccc3ee9131677aa6f2678e392eca44d0ec6c1e8f2111697fd2566a3516ca2d9b0c93bdc393983d6906622ca0eb899d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f8e0333b84e096d7df6e1dbfd2af3b4

SHA1
8e7099ec4e0a5800250f0d29f99df6754db7a380

SHA256
c9058c5cd09228cb3572bd05af874e2163606deb53d19cfad73b53b1defa2ca6

SHA512
ce08ce9582668b2b7f11f69170e1da2b22629569310962fc8b0291768942d101cb2e5bbdcd31a73dae1f286d6b3975884beca5e439482ad4ddfdd3ae095b590f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF807.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\pafyndrdyeop.exe

Filesize
376KB

MD5
de01a09f896441e9533913bb82278391

SHA1
d65824cc0c5b29864c7cac6b10f41fe516c0dd31

SHA256
811740b4ecfe0bde80e90ec6f60fb17db109ccf7490345bb897276354ed31256

SHA512
c8b0f54dc698a39e438ba7105d08632a05396ded5b2d2bb82e35d869e5595f9827d6246eb274657333411b80a9936cf291fd7e644f5b58a5450bdd228732b053

Download Submit
memory/1248-6065-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-1828-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-5993-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/1248-55-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-51-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-6062-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-5996-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-5998-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-1824-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-1840-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-4947-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-5987-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1248-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2052-5994-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2728-28-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2916-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-10-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-31-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-8-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2916-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2972-0-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2972-19-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2972-1-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download