teslacrypt | 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe
Size

352KB
MD5

2a6d24e8860bbd84be02f3062d16a753
SHA1

f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d
SHA256

37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1
SHA512

602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b
SSDEEP

6144:vcx+HObXwqYhtJwrJpPiGwic9WpAaUFlWzXARG8tdNeIFmi886hxLA8jHntLT:j7/gJpPiGTcApAQXCzdN9Fm9bc8

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+hwrkw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BDAF98769F4E9E6F 2. http://tes543berda73i48fsdfsd.keratadze.at/BDAF98769F4E9E6F 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BDAF98769F4E9E6F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BDAF98769F4E9E6F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BDAF98769F4E9E6F http://tes543berda73i48fsdfsd.keratadze.at/BDAF98769F4E9E6F http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BDAF98769F4E9E6F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BDAF98769F4E9E6F

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BDAF98769F4E9E6F

http://tes543berda73i48fsdfsd.keratadze.at/BDAF98769F4E9E6F

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BDAF98769F4E9E6F

http://xlowfznrg4wf7dli.ONION/BDAF98769F4E9E6F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	dhocjaekutqc.exe
1652	dhocjaekutqc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ifefxbqwaygj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dhocjaekutqc.exe\""	dhocjaekutqc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 3048 set thread context of 1652	3048	dhocjaekutqc.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Journal\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_RECOVERY_+hwrkw.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_RECOVERY_+hwrkw.html	dhocjaekutqc.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_RECOVERY_+hwrkw.txt	dhocjaekutqc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dhocjaekutqc.exe	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe
File opened for modification	C:\Windows\dhocjaekutqc.exe	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d9be9d1ea2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000000bc4adbb2ca6a18d02bb18ea3b9f5413863ab6aca48b1b309d6c7d3771131684000000000e80000000020000200000005099a9ed31ab12fd0e8257828c52bc36e31afe2e9e998171619eba62547e6f2b90000000f61d4b6f598060e832338bf4be5197c7098d20743915ddccb53f00481f48447dd944abd038e59eac09a1d76d45075d1a4576028650b25d6e377c99766cc1c372ecf3c3adf9eeb8706f05d57bbb482078966f8ef17e85140d3693ee4d5f77201f51ea8c296af4ddc730c4d5689e5828383e3f3977e8680c3e48b1b8cb700eee92c8d655b554437353092e4816d56a938240000000fb275e5ec7d739569a8b3acb94a78743a61a2e7bab356845e1358980aed6326019e8f0d823a20425acd706c8b0701099eb43075436cfd4a28eab1056e3522828	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C950EEA1-0E11-11EF-9680-DA96D1126947} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000008162fd2f05bd71f0c3788b70915a84d1f25bef6e476b6e0630094b59319191ed000000000e800000000200002000000070ee96e3a39d749c24bfbdec031bb8a8ce600aa97760fce45d05c033e1e451a42000000013510976945109f478cade399bbaa8fe1c501c49d235cc3476e5cd1b9572478240000000593f7d92313777fa859a5cd0aac232ece5bdef4f02720e52aaac38998e29355633bdd3970d9ecf93eb17040d3e4ec228ac5fa0943233bc00d08e8ee1a9c54ef4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2164	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe
1652	dhocjaekutqc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe
Token: SeDebugPrivilege	1652	dhocjaekutqc.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeSecurityPrivilege	2436	WMIC.exe
Token: SeTakeOwnershipPrivilege	2436	WMIC.exe
Token: SeLoadDriverPrivilege	2436	WMIC.exe
Token: SeSystemProfilePrivilege	2436	WMIC.exe
Token: SeSystemtimePrivilege	2436	WMIC.exe
Token: SeProfSingleProcessPrivilege	2436	WMIC.exe
Token: SeIncBasePriorityPrivilege	2436	WMIC.exe
Token: SeCreatePagefilePrivilege	2436	WMIC.exe
Token: SeBackupPrivilege	2436	WMIC.exe
Token: SeRestorePrivilege	2436	WMIC.exe
Token: SeShutdownPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	2436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2436	WMIC.exe
Token: SeRemoteShutdownPrivilege	2436	WMIC.exe
Token: SeUndockPrivilege	2436	WMIC.exe
Token: SeManageVolumePrivilege	2436	WMIC.exe
Token: 33	2436	WMIC.exe
Token: 34	2436	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2932	iexplore.exe
240	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2932	iexplore.exe
2932	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2544	2836	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	28
PID 2544 wrote to memory of 3048	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	29
PID 2544 wrote to memory of 3048	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	29
PID 2544 wrote to memory of 3048	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	29
PID 2544 wrote to memory of 3048	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	29
PID 2544 wrote to memory of 2416	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2416	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2416	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2416	2544	2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe	30
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 3048 wrote to memory of 1652	3048	dhocjaekutqc.exe	34
PID 1652 wrote to memory of 2400	1652	dhocjaekutqc.exe	35
PID 1652 wrote to memory of 2400	1652	dhocjaekutqc.exe	35
PID 1652 wrote to memory of 2400	1652	dhocjaekutqc.exe	35
PID 1652 wrote to memory of 2400	1652	dhocjaekutqc.exe	35
PID 1652 wrote to memory of 2164	1652	dhocjaekutqc.exe	43
PID 1652 wrote to memory of 2164	1652	dhocjaekutqc.exe	43
PID 1652 wrote to memory of 2164	1652	dhocjaekutqc.exe	43
PID 1652 wrote to memory of 2164	1652	dhocjaekutqc.exe	43
PID 1652 wrote to memory of 2932	1652	dhocjaekutqc.exe	44
PID 1652 wrote to memory of 2932	1652	dhocjaekutqc.exe	44
PID 1652 wrote to memory of 2932	1652	dhocjaekutqc.exe	44
PID 1652 wrote to memory of 2932	1652	dhocjaekutqc.exe	44
PID 2932 wrote to memory of 2744	2932	iexplore.exe	46
PID 2932 wrote to memory of 2744	2932	iexplore.exe	46
PID 2932 wrote to memory of 2744	2932	iexplore.exe	46
PID 2932 wrote to memory of 2744	2932	iexplore.exe	46
PID 1652 wrote to memory of 2436	1652	dhocjaekutqc.exe	47
PID 1652 wrote to memory of 2436	1652	dhocjaekutqc.exe	47
PID 1652 wrote to memory of 2436	1652	dhocjaekutqc.exe	47
PID 1652 wrote to memory of 2436	1652	dhocjaekutqc.exe	47
PID 1652 wrote to memory of 1536	1652	dhocjaekutqc.exe	49
PID 1652 wrote to memory of 1536	1652	dhocjaekutqc.exe	49
PID 1652 wrote to memory of 1536	1652	dhocjaekutqc.exe	49
PID 1652 wrote to memory of 1536	1652	dhocjaekutqc.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dhocjaekutqc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dhocjaekutqc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2a6d24e8860bbd84be02f3062d16a753_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\dhocjaekutqc.exe
    C:\Windows\dhocjaekutqc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\dhocjaekutqc.exe
      C:\Windows\dhocjaekutqc.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1652
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2164
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2744
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DHOCJA~1.EXE
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2A6D24~1.EXE
    3⤵
    - Deletes itself
    PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+hwrkw.html

Filesize
11KB

MD5
575b593e345bc2e7eaf8588662384e89

SHA1
6990cc765d79a735c9e2fe9de686259545ec8422

SHA256
b5d148ff37b88da50e9d0b40241a5ae063c63ab7e9bf1f5619dee914fe3ccd4e

SHA512
9587ce5be5df6bbd279e4e16c3dd28cd40e98e28bfccbb67782118ca73d34f6924cc41f115f31c80ea4f68175c6a772a52f4b9494ffb9dcf6193aee2ef49b43c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+hwrkw.png

Filesize
62KB

MD5
810b4b0d5013d38d939fa16930f8ef9a

SHA1
bb25ccb1c635d85baa22c8808460736cb64ff85d

SHA256
3d9185dc3c70e464fa080b33d814a6b49759c3fb76bf561c9c43b83fd78829b8

SHA512
c1bb1645f6ce715f320b5321782b2105e04aa7ccedcd6388c651e9e26522eba81025baea26b24ce453d976a2154940663a663b2a318121d29e72a381a2e6cb62

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+hwrkw.txt

Filesize
1KB

MD5
cdb35713be8c50eb3235ea83975b2300

SHA1
bc816f5316d8b941132538309f0e0bfe25695361

SHA256
a9586ffe90aaab09ac2dadb0a3c7f153ca6e004387793f9869fd5000bafb1644

SHA512
011e6177701d4b86973e8dc566241d584b0157518bc4f5ab4f71b6e78fbae2d426b5bd71c2aa1353f86ef604d76c0e36322f0fc09397f2e4612e71fb72f07814

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4df1ced662c9fefb1b02bbc3c88e15f2

SHA1
c605381552dc16d0c78656e05101bd8c8bb58d29

SHA256
fa42e6f8c1ba16a311318c613ac377bf050ba198a6001f0c623a9ce3f51b35b5

SHA512
1892a196561a93b380264f94ddb6ff89234ad20a36d619f81cedf75ad7bf2438585a6a53cb290a5b110d8bd236adc425ab2107f49ff5c27a10c155196d0c3687

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9ba0b9c26b87c246029c38ffdf84ca4d

SHA1
fec643c4d8e17707aaf434e0b494084423ccb2bb

SHA256
9caa988bbd1b612358bef83541e583845613c56bd49df7b9a4396ffc7f8bf717

SHA512
7365130adbbb21c207144b358412a4f0d59b2c026a6b284d37a42b41ea3d8e4a48eb1a7b40080849950541ea36bb014767c1b9d2357a641df79b168fe20d8368

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
7ba56892280c3d13ecabe9bb61b11081

SHA1
2192b6b368e56b2d822f679b001e0920f0b9d5a7

SHA256
ecd1bb90c568b1dbf2cd98744329f9b727a54708b203aab99e52978110d91e57

SHA512
282b529e5cc1c046b79bc6a780b2b30a79e2ddf30aaf1e4d2ba1fbdfc1ed47fedc35ca54bfcc42a2c7df3594ad81267c88bdebe8d7655dfe8a6c010275c37090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7256e768a989afe3830eca11b54cedb

SHA1
db23515d2b4e12baa27f7ac0d5113c5962d8c588

SHA256
c97dfb97948524cc77f1f3c2af1bf151dc8be1f0079e9fe75410ebc2ffaceefe

SHA512
da7ed5b1a88d03d729e586669c42af2d4c8b5c8fd3358995c203e936b6bf4d072986e441ce4d910088b66d47f4950e0eef7bca22993cbee50ac98bdba3f427ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
798fd55eec879ec0bafa95f6f3f67491

SHA1
fecd8e2d5463dbc10352de6840f94fbc85740bd9

SHA256
d3377b04131b58f42b225b295abb8ceeeebf03a4a5c183aa1ab48dcb2d9e6a45

SHA512
d82707cc77c5f089f3cf1ffa2cd86569abce75996612d77888fb9c1a31f728ad173bcb3cbb42a91177e2743787e791c73547e3d30a18da85195163e62232c558

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89c6a0101952c6a392f63fc71623f45c

SHA1
2478e890c655791028efdf2baa53c94cfdf1f2aa

SHA256
7af30ded20a1ede6366e8fdb42124492103f3f5ff867b31195540b0591412e7a

SHA512
58c521146109febf23f4b57262453f2b01bd5f861eddf4e6b7c2f354984fb71ef220892161f1740610d1ec43a1e75454e037cb6a930422172dbbb0390cdce9e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1606a6723ea078c4f10b82ce6687785f

SHA1
ec865b184e4d2f50a6869aa4a862c41346a7d99b

SHA256
cd97157efc2325029116a5b5b46da6428ae863113dac21d0640ce06be7939982

SHA512
be206fc95a8328145166b7f32a3b43475a789778b6a8ec29bcd04f202e8eec75fe6d2ee159d15c12f876dc7c111f736317a29e9c6a27ed8752a1db47204a716b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2294c6989c060b1af10f49e5163723ac

SHA1
9259ab4be4c9e615fe4702f9dd654aedacde3748

SHA256
8884bc90aff7fdc56e1f23114bd507c5d28dd444ba005a23176b359f18c13e1e

SHA512
b787e166e7ed48d1664e5b23fead07def2e6cb3ed1bc836e2e8e829551158bb2ca0fb89e848bf97b9956ce94c39e88389a2d877b62f27acbec6c3784177a1bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab0c97fd7751afa2e1d958575a59527d

SHA1
7f0e48a2c6a1de008312b9eb513dfd17264529d4

SHA256
a0161c152f932e9b11e50862487144f7e4b6425cbb9b00dcd0f2f0066b840456

SHA512
3de49bb7f0e93b49ca551d322fc59492914aa847ff59dea1772a762a18f915d631d2ecd4947f75423b7055ee09366e2f12d0201fe9e5728abfaa7790cf9a73cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b0fd0fa264d5f4da8f02de421265b84

SHA1
48255cc7f6b22eba5dc618183889dded4bd28009

SHA256
a4358d5a7c7cba220c90d25a0cb2ddc4ce67360b18adf3efc3cd84308404f20c

SHA512
82c1600b2da1896cca8a16d253e30b829cd9e75860d71da3e9bd08fb3e4c5ab8124fe7f137578a2219eaef9e7b65c5054d3e0c069eeff08257b273ae9045e2cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df4c1e35fa35db3e84d5c4eaad5c845c

SHA1
d39fd2e6058ebd0dae6bbe251a70c6692b3f43c0

SHA256
2b035efa769f2f3258468255c8235c58a0387650ff50cd5c6e614dc4ace5ce24

SHA512
8ac8d9566e354ce3973d2cca09e34124035dbdab3680cdfb36c6cae50254ae8b9f2479f9c89b565d3cbaddddee41d95dadd3d6eab0cdfff9152fe2633e4fdb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab934D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar941F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\dhocjaekutqc.exe

Filesize
352KB

MD5
2a6d24e8860bbd84be02f3062d16a753

SHA1
f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d

SHA256
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1

SHA512
602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b

Download Submit
memory/240-6026-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1652-1552-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-5678-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-48-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6520-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-44-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-2497-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6094-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6019-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6025-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/1652-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6028-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-6517-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1652-50-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-26-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-7-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2544-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2836-0-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/3048-27-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download