Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe
-
Size
336KB
-
MD5
054d68e1b21ca7d723170ab0a76ecade
-
SHA1
36495fdc5e9784e09e8c11838c3ad3653f987fa8
-
SHA256
85fbae8101c1214be4247bba710cbda6d4af6889cdce838a0ace154f1487f581
-
SHA512
1f517a80a5eb9c77b1c5a56421c27b6653b75e35728d121576340a9f99dbfb10a59a0e5459b2df592851cd122dfaffb970feb9423a13ca09c2bfba95df3b7555
-
SSDEEP
6144:vaq1F7UiBDVWXP+t/tCPS0U1R+6OxuQ6jEUxrSrdqD2Ig7Uf++z3EJ29iV:b7rPW/6tCPSxN8IoUfvUJ2g
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qrhsh.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/C226E7F456D5DFD2
http://b4youfred5485jgsa3453f.italazudda.com/C226E7F456D5DFD2
http://5rport45vcdef345adfkksawe.bematvocal.at/C226E7F456D5DFD2
http://fwgrhsao3aoml7ej.onion/C226E7F456D5DFD2
http://fwgrhsao3aoml7ej.ONION/C226E7F456D5DFD2
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (406) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2604 cmd.exe -
Drops startup file 3 IoCs
Processes:
lkccchvsalkt.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qrhsh.html lkccchvsalkt.exe -
Executes dropped EXE 1 IoCs
Processes:
lkccchvsalkt.exepid process 2836 lkccchvsalkt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lkccchvsalkt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsrmwnvcxocq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\lkccchvsalkt.exe\"" lkccchvsalkt.exe -
Drops file in Program Files directory 64 IoCs
Processes:
lkccchvsalkt.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png lkccchvsalkt.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\ja-JP\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png lkccchvsalkt.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jre7\lib\amd64\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\it-IT\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\ja-JP\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\7-Zip\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\Google\Chrome\Application\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\Recovery+qrhsh.png lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png lkccchvsalkt.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\Recovery+qrhsh.txt lkccchvsalkt.exe File opened for modification C:\Program Files\VideoLAN\Recovery+qrhsh.html lkccchvsalkt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png lkccchvsalkt.exe -
Drops file in Windows directory 2 IoCs
Processes:
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exedescription ioc process File created C:\Windows\lkccchvsalkt.exe 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe File opened for modification C:\Windows\lkccchvsalkt.exe 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d825d77ce3bd8066c0aff313890543583d0f572cb7830c277dd84b6d20e6077e000000000e800000000200002000000008418ce056bda235d885d3139dc98798e945b248a1cced5ad9f15479d84a665720000000732690afa8ff9e6230ecc1a3c828ae110acb610318b79da2f7f85076d3170f1240000000fdfeac77a184876eed316a7aa5f73a5cc82195b14f7b62ac87f4ba8dc52f4c90b3f8cd65598b377d0459c2afb4e2a4e84d81958b02e6b86065720c289066c741 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C38DDA1-0564-11EF-9F07-6E6327E9C5D7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000002f5bb4952cf909b85d37949d4ce33eb81c6a4060ed8713ea62ac8c8a6f1d7809000000000e80000000020000200000005c678b2c665795f7e66613749eeb63b57577d84448e148237235eb434839084690000000ea2adc23242bce385bc1e27d67de6bac2218f128c0090de23f303b26fff9c1e94432fe14a58e3c25ea294568e3ac2404c521996a575dec6bf27002c2e30bd907701e37c9b39f53ec52ac899d2018d6380c1685dd940983cbb27e0d26753ad16b1d8f3d635f159a610e686e1b8a850b1577730ac68363fe09943a195273c58c8349b2decd85aa63f0ecc71385fe26764c40000000516e50ab30b1a821d930adcd2cf9477cb85cadac9ea4b09a9062f2014208f25d70386e56f3604a74b57dbc6ff1ab00570a11d83e0fcfa784644a7c19f5999ee5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420473167" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b07ea4f07099da01 iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2732 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
lkccchvsalkt.exepid process 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe 2836 lkccchvsalkt.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exelkccchvsalkt.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe Token: SeDebugPrivilege 2836 lkccchvsalkt.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: SeBackupPrivilege 1656 vssvc.exe Token: SeRestorePrivilege 1656 vssvc.exe Token: SeAuditPrivilege 1656 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 2640 iexplore.exe 1236 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2640 iexplore.exe 2640 iexplore.exe 2504 IEXPLORE.EXE 2504 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exelkccchvsalkt.exeiexplore.exedescription pid process target process PID 2012 wrote to memory of 2836 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe lkccchvsalkt.exe PID 2012 wrote to memory of 2836 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe lkccchvsalkt.exe PID 2012 wrote to memory of 2836 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe lkccchvsalkt.exe PID 2012 wrote to memory of 2836 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe lkccchvsalkt.exe PID 2012 wrote to memory of 2604 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2604 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2604 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2604 2012 054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe cmd.exe PID 2836 wrote to memory of 2724 2836 lkccchvsalkt.exe WMIC.exe PID 2836 wrote to memory of 2724 2836 lkccchvsalkt.exe WMIC.exe PID 2836 wrote to memory of 2724 2836 lkccchvsalkt.exe WMIC.exe PID 2836 wrote to memory of 2724 2836 lkccchvsalkt.exe WMIC.exe PID 2836 wrote to memory of 2732 2836 lkccchvsalkt.exe NOTEPAD.EXE PID 2836 wrote to memory of 2732 2836 lkccchvsalkt.exe NOTEPAD.EXE PID 2836 wrote to memory of 2732 2836 lkccchvsalkt.exe NOTEPAD.EXE PID 2836 wrote to memory of 2732 2836 lkccchvsalkt.exe NOTEPAD.EXE PID 2836 wrote to memory of 2640 2836 lkccchvsalkt.exe iexplore.exe PID 2836 wrote to memory of 2640 2836 lkccchvsalkt.exe iexplore.exe PID 2836 wrote to memory of 2640 2836 lkccchvsalkt.exe iexplore.exe PID 2836 wrote to memory of 2640 2836 lkccchvsalkt.exe iexplore.exe PID 2640 wrote to memory of 2504 2640 iexplore.exe IEXPLORE.EXE PID 2640 wrote to memory of 2504 2640 iexplore.exe IEXPLORE.EXE PID 2640 wrote to memory of 2504 2640 iexplore.exe IEXPLORE.EXE PID 2640 wrote to memory of 2504 2640 iexplore.exe IEXPLORE.EXE PID 2836 wrote to memory of 2476 2836 lkccchvsalkt.exe cmd.exe PID 2836 wrote to memory of 2476 2836 lkccchvsalkt.exe cmd.exe PID 2836 wrote to memory of 2476 2836 lkccchvsalkt.exe cmd.exe PID 2836 wrote to memory of 2476 2836 lkccchvsalkt.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
lkccchvsalkt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lkccchvsalkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" lkccchvsalkt.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\054d68e1b21ca7d723170ab0a76ecade_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\lkccchvsalkt.exeC:\Windows\lkccchvsalkt.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LKCCCH~1.EXE3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\054D68~1.EXE2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qrhsh.htmlFilesize
8KB
MD5ad828999ad8bc48f164c02e0b70851db
SHA156a624f0f7783d3b2c9c33bfbec0b68794863675
SHA256095c333bd55716f79dfc7a899d5e59605a043ee696530ba257dbdaafd5595230
SHA512eb5687c3c9d9023417c2f09b8c21c7b5da4c8507c3b9ec3007fff8078c087e375cef93e64849a82d9108f1d4fb43451854a9ca9f606d6be1b4dbf8e641586e5d
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qrhsh.pngFilesize
68KB
MD5769554f40a716377a57be675b3747802
SHA1c2a14564784ce16808c9453857cd88850e4f7b85
SHA256d58099760e122b7524e9c12d9b424f035a9aeb852941c0150eef74af914a3c2e
SHA512b8eba66b4ae9548eae929b8eb3ca8e5d3a4723abe86e03e923fff01551358d9c47fd82cb03211ccf68c1a98918122a8785e0d126becf122465e4332840715884
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qrhsh.txtFilesize
2KB
MD577e7d50c6ea53ae14de26687d3634af9
SHA101375286101d46bdca3cb615850f616c1f9f802d
SHA2563e7f829492b7060a6dbd27d19bc7b97be21581b9c4e1097bb37e879cf277bc1b
SHA512d238f65f4d90f4a70ca41d21bcfb6be0018df947417dd444062df28837cbf859738697e40fe5bf71a9bf6a69dcd340e14f97c7828f834d979bc640854f9955ba
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txtFilesize
11KB
MD5ad05dcc0e87d511ef477226861bef4c4
SHA101e6da16dfd6298c846ffbe81676f52dd253a74a
SHA256f528d58afde0e131da7f55d74226e4ddcf77bfb8518bb5249bb6068a1d1b1c31
SHA51226fab4320c3c4a6417943610479fbb0e7dc593e6d162b96b83eedff17b096ce8f803fee2f011a4ffae359ffb4276a7736c15f57bd063f2e0784a8b2fd434688a
-
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txtFilesize
109KB
MD597ae2870efbc5aa3e20dd1aca41ef059
SHA19ea81ff0474173a0a30a4928a9b149aab2b37379
SHA256da70e54cd81476e141fb1d216881d441741147ebf28a38cad7837b3649eb4c9b
SHA512b4bb24cc189dea29a5055163c9f02ac7432cf73a453d05a8b0ecf4690c40d6308913d0c357b0949f33f550613a4757dc0f92b473aa18c92a1dc352ccaa8afc42
-
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txtFilesize
173KB
MD58454d4d9d3ee550843320f99659a102a
SHA17d2150ee476c59b7de5c0fe6e1e7d662da47d31b
SHA256d6b0d2b0dff59d694ffcc34eaaf52d0c8c414eb3706f6dabc99f959ce74a8c34
SHA512615e067a566f24cf4b3c7e4f7f2899696df6cb5d0cc7d7854818464324257a54060b4874dc0f82c307611937e1620b05dc787f2a79e07745dc5de2c260fb8fd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ad6524369aea103254094f42561c7a39
SHA14821b4a2d5c89dbc4ba35c870fd9d86f17af04f9
SHA25600e9351bb149d9a04ad990a8fbdac352405cad2923e0e8f80158e4387c76b46a
SHA51279b9ebf944a7b09a7e9ad5b65d5a0a7a81c6a12e3f33a26fec14d9991f88c7e9d6eaed68114d23c457de4a1259df5e0ef65daf2fe6566257d3cd2b16d0e928b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ed41bac9e2668be2d18b1b3a840edd14
SHA11da59c1cb2f86e98987bb4247a2c5caa7ca670a9
SHA25603961a0086c66a1b4cde4ffa9f757bd1929e1d8e451e89a0c72f9bca0c2230d6
SHA512224c4cd03f2fd49f31421f042f46e2cf5c598f505bc32f7e1413cae17e51e09052b5796d71f4f88dab13b93593798ac0923aea2c763c192e55493a7bb35e7787
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ce7b43ddff0d1e67c8ce784e41e84b74
SHA1bb6984c479cfb8f4cdba74fdd856c94bf061ecf2
SHA256802dceb683a924a13bebe2de8ef24be7253e3da562e3df8c16dc826bf8965b45
SHA51289ca39169940fd6d82ecc68ecc9665b9c28d521487efbab5b1d12557e9722d37027a90a38628c3de37e04b49c6a934fb25cbe491aecc07b5974caf2bf0036939
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51a5852b1f6324d26fd15099c76f0b7f1
SHA105c61ab62336be45b360588a1b742705779fb4bf
SHA256ff4fa05d8d88566ca1ed8c1f98c9baf9ddaee17772dd9232ea9a429abfb4a773
SHA512a1e0ab40ebad12ea10a28089418d96bde4f81fe2d5a54f61328ce9c4a88a0b2af47d29e027ff9d6d4cdf024c7e9a9fefda6c4db1213db570f689b6d619281492
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD558abffc5635d971e84390920cc8cd3ac
SHA137e2cc6bbde413961a88c202a1280b30987ca35a
SHA256256a679f57232377d2e73c6e13eff4c2ff42febf7260f0d8f65fa3390e7a347b
SHA5125f342d6fc84274d578d64047b6f4cb9011d937f55c7125367962c2a27927cc08513bf6db9ecf26d53330d82c2e579841f0333b1066e0810dc7a9a2a1ce17d8d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5efbd4b26b75724b2143890ecc0a02be6
SHA118096bf352ac1afdea77b12b1e149b85b504b956
SHA25604458e9653d981c723a84d5c937bf44ab1ab6f84cdfd52daa087433134f1bbd1
SHA512ccc75d2a8331350ce19526552bcab035c33b7a9e242d80c3990f9af1df82a8652a05543a18b817401c9009ca5ac1d48068a123e6beb0d9d87e768ab04cebdc61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58a00d587a79f9c031d1e12a7c60c7f7e
SHA17350840ed0ab995794e1cd1ebad7420e9edbef0a
SHA25627f56ce7637dbdfde7d5548f85fc874afb048a68d73dca73bd07f0d2dd1d32be
SHA512bd4508283d86932dddb0adecba9929098f22923ffd9d7bfd4f457300ad152f9fa01646a6836a52f264a8c2ceb177f0b9d736318209c71c3cf1215b2095c6e270
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD597085461197ac5107c6898f404e13b8d
SHA102722f415f4d37db4a61e5379bd91af8c97114c8
SHA25612659632e28a52f05dd9396623f6402fa67b6aaabd46dc5b524067531f0b35d0
SHA512282f5141f3a5d8e5bb2fc3209b2cac8530e5362536df6867efc58cc8e799d0026456066486a699f017b3153d5a119f3cb9cad537a77adc8beaa752a434cbaaa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f6da279670175538d24992a08f475a39
SHA12b6218751870877f1daa2eab28a7064f5cb6cb21
SHA256cf7d41943a5b5800fa73333d60f0fc9e211ba7a4ae91bdab2718bf6d1fd57379
SHA5127727daa344c73904a3567ebec3ce2513720bcf334b1e8c39173729c3214560da4c8b56e987a931644af7dfd5487d2812b6c5e9c5efac15c96421db609371f460
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fb78a30bf96c020a696993e752da8cd3
SHA1b39ef18d918154cb21948098f520749a51dc1d4c
SHA2565d57c1c05880b464e7590fc30d30d1ec07b00f2af9d84a2109b8793ae93a0907
SHA51296d5cea580fe9bbd44824551611b9fc6150aaeabb4602033de840808197c3c4b98f5722a07ff131fdd283ad7170160e823f6daad3a5b547ff469e270eed152d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55f2c4ee316be84c9e0c521dac01f5e11
SHA19d12bbc00156b576e0a60784c16ad99efa84142a
SHA2566f737bc58e556a4b1e48de408474057e9efef9a3b4822b0642b9b3f2683cad89
SHA5127de191595c87b63e00bf4444f189bff2dd7ae416aba26b153032e488b479222a703ccf9f7d31f692c80e22698a1de6fdec34ce7cc27094c706e4a9f8c139457e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5af28d6344d21301ee5c306f8a9c22ac7
SHA17b2d6b369c9f884870ced4e41ef9043f1b12cfb1
SHA256ebfdee9a7398963d5577180ecdf1bb9d3283be707c94e52e301e942b71a5499a
SHA512d4cb2abd571e7479b102cb6d5423f6fcd401764218ec127e5a1ad1609e0cf4dc7afb203e0aabb9007282fd44ee00ac07d0731630f20e3a4b3bddf1150570cae2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54f75b28d0e70bfad3b74fea37a0eb067
SHA1f576937de28eb809b18a9ba4d5a12b747db84e54
SHA25624a93718a6973bc7e9c9eaeb1e3380e33373c440b9ebcd99059e7252a7ad3303
SHA512aacfc47093da2982e80d1aade10a015ca0119abdf18d45f170afcc0e28dc022e0688d4d2b2b418d4b39e44c2dc9466db1f62fd789dda95c75203cbd6f4d3ea67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5139d671882c90139718aa3feaaec7a3c
SHA17d15441720954e2c21d09f1c5b677b4a225a9c84
SHA256eea794ff7c9e4d312ec3c164c7fbff444cb60e7e68732a7ac8cfeb5db3aeb9bb
SHA51297738890581a44b7d3bc346fd6eb675589d9de0f288641036a658e7fc7e4f58c8f07f3ff4b46703f03f7f45c96af24f00e131745b74179cbeb85801018d301a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d5549a79290e479bf97aa220052cb367
SHA13f53f3f228fc8435db17e953b605d65e289beff3
SHA256b208283116a9c21c8a265762e96796cbff019e7ec9a1c8e844fee704aa0fab6a
SHA512ab86ed1c9249f6a85fb1f4ed5cca6561e2af24d3841851f6e8dbc0199a5edac028c44f9f7b3842ec11ad3729051bb8a1e9715916159a178ca107e5f23fd0f022
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e8ce59996e85fbefa8e7a64333994f55
SHA1d54507e8e9d13f5245015a61bda08554dd92097b
SHA256df91bcdd4e8ab8ddf78440314eaf6861ce0f779133af3a8ea64d9ad87b6ea3bb
SHA5129294474c2fb202b238c44d1963a861b3214286766fb488a8e9d7fb066f28b17e290e7973bd49a25dcdc56d4535ee1c023d3a0d913a411ff274d694840200dcd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f7f355f0ca0055145c1e4af109538997
SHA1537a85c28d1e3e268a6f333d2847e9d90074dc30
SHA256de7c3c1f7cb392254ded36d05226a4f99948fb744d1367812440676aebe4e87a
SHA512dc2eb6a71fdbe12fa88aec00a5d3e54469680d3e79549ab160129dacf638d695160b36fbb9a96a57ac602e0a59425fdc9de49dda2ee842a712348d256d9a42ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ee8440bfb273bb4a313ac1b7d324f0bb
SHA136b35b8ef50a3c3bb32be08cce2a963cc08c8fee
SHA256d7b649427202b0b9324ddbd4df23cb2fa301c722779ebda2b233c50a6a7bb746
SHA512f1a37296bbbec9bc2143de8c22ca0cfeff9e4500148f13807cecfc5a26121202d3256f108b1c24b290c698378131010b98abf2e1fc6f7c2025bdc68739462671
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b1e587793dc2c6a82b7cef8805092e3f
SHA10b995cd4b97cb8cba83d270e43d5574ed26b937a
SHA25684dfba0ef98ab0ce6ca3666238a54af78f5b81ce89f680b9321ff3fcbb9f34ef
SHA512831902314987e436a6e19c0a8a83d981aa947537c1b0840866d6cc88103da3007620eb688c9f7f26e330f8a028c8575c06681678360dfab7eb3b869630daa1a0
-
C:\Users\Admin\AppData\Local\Temp\Cab83D3.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar84A5.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Windows\lkccchvsalkt.exeFilesize
336KB
MD5054d68e1b21ca7d723170ab0a76ecade
SHA136495fdc5e9784e09e8c11838c3ad3653f987fa8
SHA25685fbae8101c1214be4247bba710cbda6d4af6889cdce838a0ace154f1487f581
SHA5121f517a80a5eb9c77b1c5a56421c27b6653b75e35728d121576340a9f99dbfb10a59a0e5459b2df592851cd122dfaffb970feb9423a13ca09c2bfba95df3b7555
-
memory/1236-5953-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2012-16-0x0000000000700000-0x0000000000785000-memory.dmpFilesize
532KB
-
memory/2012-1-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2012-0-0x0000000000700000-0x0000000000785000-memory.dmpFilesize
532KB
-
memory/2012-15-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2836-6440-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2836-6157-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2836-5952-0x0000000002F20000-0x0000000002F22000-memory.dmpFilesize
8KB
-
memory/2836-5714-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2836-2680-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2836-14-0x0000000000270000-0x00000000002F5000-memory.dmpFilesize
532KB