teslacrypt | 0f5bfe270ccd6b20554570e407cc0490477030b4cbb3a991fb647810d6a75039

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe
Size

284KB
MD5

3615c9ef28ac6b885405ad433b338ce9
SHA1

8b39c75a87aba608976d6ebc5be6d511b82fd634
SHA256

0f5bfe270ccd6b20554570e407cc0490477030b4cbb3a991fb647810d6a75039
SHA512

5d94bb315e1a2f0dd3784c4ccced48f5cbf29d9a4fb776ad88e504fc9123e725a333af49e5ac453b21b3094941c546c5543ac9f8737917d9c9ecc035fc4e51d1
SSDEEP

6144:boW9C/rhcrTk04UshxYi+tziVivz6dKbZi2QCFenag:pCDurTk02hnEz6s02Fenag

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bylvw.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/744B6A9EF77EBC 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/744B6A9EF77EBC 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/744B6A9EF77EBC If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/744B6A9EF77EBC 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/744B6A9EF77EBC http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/744B6A9EF77EBC http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/744B6A9EF77EBC Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/744B6A9EF77EBC

URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/744B6A9EF77EBC

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/744B6A9EF77EBC

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/744B6A9EF77EBC

http://xlowfznrg4wf7dli.ONION/744B6A9EF77EBC

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (394) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	cvvfakcvqtho.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlhrlkc = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\cvvfakcvqtho.exe"	cvvfakcvqtho.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\System\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\_ReCoVeRy_+bylvw.txt	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_ReCoVeRy_+bylvw.html	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_ReCoVeRy_+bylvw.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	cvvfakcvqtho.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	cvvfakcvqtho.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cvvfakcvqtho.exe	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe
File opened for modification	C:\Windows\cvvfakcvqtho.exe	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000e173d0e0bc35c56786801a2554e6794e671834cb1ea6fbd9f36e2084c58444bd000000000e8000000002000020000000ac5e5f8a816f5135bc5f84f617e019906fbd93847dc20a86df200435110c9f522000000054f76dc37b5da96ef4a73ddeb043f095545396c92d7c47bd03baa540e3f2c470400000005388f06d768828046af3ae6d4a3d35a5f58c6c36cf904d9f84b03a060958002b63869276284905e038958b820a7d03f8c77b8cf463a28dcdeed0b3e3e6311b5e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40311e15d6a3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000052d2ceeef0b85549718ff103a500196b6a91c49ec5d2bd45df2383ca83487ac0000000000e8000000002000020000000c5ba7193055003c50235e372bad88d169be7ae2845b11f2468021907b75f60a790000000d8a66d476aab434f66bfc01696fb0c2821b987fd6a2f4372689fa6a56979f53fe55919dcfde7fec6bcc3c1e67c345c6d328c8db1f4ed4d96469e35be4ee9a15ba30fd066c8fadf7f47225700573b0384e46ad07d86887fafc511e53e03e82c506d2e72709d89d3f60b7d23900e46f950cf46a48777aee9ee9e50b5cf3cce51d034631a88423420e52d2948aa1a849dad40000000e4930f2efa2fd3ee468f2f7f96203d7b50bc9000dd38fa5cff23d3e55305a7d9b2ca5634701ded960a22367442ea634708a8ed0e3870afe68ba5a8f2341af5cc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421616119"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40A92221-0FC9-11EF-B20D-42D1C15895C4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2612	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe
1900	cvvfakcvqtho.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe
Token: SeDebugPrivilege	1900	cvvfakcvqtho.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: SeBackupPrivilege	2372	vssvc.exe
Token: SeRestorePrivilege	2372	vssvc.exe
Token: SeAuditPrivilege	2372	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1772	iexplore.exe
328	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1772	iexplore.exe
1772	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1900	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1900	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1900	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	28
PID 2220 wrote to memory of 1900	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2576	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2576	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2576	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2576	2220	3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe	29
PID 1900 wrote to memory of 2732	1900	cvvfakcvqtho.exe	31
PID 1900 wrote to memory of 2732	1900	cvvfakcvqtho.exe	31
PID 1900 wrote to memory of 2732	1900	cvvfakcvqtho.exe	31
PID 1900 wrote to memory of 2732	1900	cvvfakcvqtho.exe	31
PID 1900 wrote to memory of 2612	1900	cvvfakcvqtho.exe	38
PID 1900 wrote to memory of 2612	1900	cvvfakcvqtho.exe	38
PID 1900 wrote to memory of 2612	1900	cvvfakcvqtho.exe	38
PID 1900 wrote to memory of 2612	1900	cvvfakcvqtho.exe	38
PID 1900 wrote to memory of 1772	1900	cvvfakcvqtho.exe	39
PID 1900 wrote to memory of 1772	1900	cvvfakcvqtho.exe	39
PID 1900 wrote to memory of 1772	1900	cvvfakcvqtho.exe	39
PID 1900 wrote to memory of 1772	1900	cvvfakcvqtho.exe	39
PID 1772 wrote to memory of 1856	1772	iexplore.exe	41
PID 1772 wrote to memory of 1856	1772	iexplore.exe	41
PID 1772 wrote to memory of 1856	1772	iexplore.exe	41
PID 1772 wrote to memory of 1856	1772	iexplore.exe	41
PID 1900 wrote to memory of 2712	1900	cvvfakcvqtho.exe	42
PID 1900 wrote to memory of 2712	1900	cvvfakcvqtho.exe	42
PID 1900 wrote to memory of 2712	1900	cvvfakcvqtho.exe	42
PID 1900 wrote to memory of 2712	1900	cvvfakcvqtho.exe	42
PID 1900 wrote to memory of 1844	1900	cvvfakcvqtho.exe	44
PID 1900 wrote to memory of 1844	1900	cvvfakcvqtho.exe	44
PID 1900 wrote to memory of 1844	1900	cvvfakcvqtho.exe	44
PID 1900 wrote to memory of 1844	1900	cvvfakcvqtho.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cvvfakcvqtho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cvvfakcvqtho.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3615c9ef28ac6b885405ad433b338ce9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\cvvfakcvqtho.exe
  C:\Windows\cvvfakcvqtho.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1900
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1856
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CVVFAK~1.EXE
    3⤵
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3615C9~1.EXE
  2⤵
  - Deletes itself
  PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bylvw.html

Filesize
11KB

MD5
4eb16139fbd118989406f57f384fa52b

SHA1
9b95cd8dda25a594c0adc949194d8b2b6fb85089

SHA256
009c80cdf0179b826ec89466a3af90e9f9e828b621ff36416a61c5944213ad2f

SHA512
b5b1729ae79c0697f463e9851e3d7eba42041b442db8392caa7f918be18fc96a19af06a79b4fb23e814aba721d02af92f28a0ba30e847633102889bfffbddb6e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bylvw.png

Filesize
64KB

MD5
30ae86b86ec7ee816ec4011f2099ae41

SHA1
8d12ffe8ff0d1760d7483b3123efad811194b04f

SHA256
fd10ed7811fcbae6b2bdaccb30957e5dd78c7088539d3c86431c955f336cf829

SHA512
4f373d3e378726165b1da13da4c4f3571dc050c9ac809cb6e1045b821a82b3bf2548a934c17956b69c9cee81530dc7724cedf183e882a93cca3bc3983811d4f0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bylvw.txt

Filesize
1KB

MD5
bfdd5525b858ad70a96b1bbcd790d175

SHA1
6c4aad0e2aa95bbe3a9e1c972605d9fc81cb4363

SHA256
d167f8b785a9c81b56b3a072ca8ba82e79d881893f924a48ccd6bf69c6515225

SHA512
6a24846278f81d2f42a3975628a1c533533345f192b8fe1bebbb4206eaed2115fc0ba7388fd3a0ba9b71d52fc7f3de1d37990c3d7f6331f5ce6f41cc7e9d54ca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
da6df69d9640cfffdf4e1a518cf8382a

SHA1
78ff73e7a62872c82fee5d551e01a5e1dc3b89b9

SHA256
cf2480bb8f20e10ef132078c1b20f93e9eda4147c2086e05e3f594fed8c7ea50

SHA512
cada91f4956a890cb4b536807faf64913dd5043c88be74e21ef358427625ec4b7681170d5b12c49ca94a9f3887f39f014f5138433cda83835a59704772dfbc5d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
b933cfe561a32a98a5995450f7646387

SHA1
e1ac26713efa9d499764742c195cb0fe7a542961

SHA256
7a641d42709efe944dbaff49654b5b2d7ad1a6582e27d3c6da9bf21d5f0f5eb6

SHA512
c970e6358dc969135f3f31c905582b69c6a00d7eb0c95463e7a6899d101840aba8bb47ae09ed1f8516e53585dd3fada0292d0189fcc461824e891a5f1798c31b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
ea8d30d95eae7db9dcd07ad3beda70cf

SHA1
16dc7e732defeec30f9c5934d15073f5dbacf42d

SHA256
4a35a882731528532443e4a037f093ab637276b6c3c594f3657fd364f15129a2

SHA512
1cb9fc512fd743cff22a9d6009a3b852a88e0aad297dcede08c0d464996c8ced17f8be012fe82f4e9e088cd5892c219baaecdfddee28cf4f4a3edfae1ea5830e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59f75788a528420ae43320f723dc2a00

SHA1
2c0f8f3accc0f9cead32d80481576d777daf99de

SHA256
0ae72ad8b0440bb26dd3162ab32b55f24aee5697ce1dea624c01e23d2b191325

SHA512
f934bea34aec41fcdfd648db181bee25c870a1074d0c8b637ebc8749c98589ede659dec017b67787fffaaded62acc305bf4fcaea09f6170ddc2e68a444c11b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05bc5e92dfce91a7eee675a9d7661adc

SHA1
58c054f5cc7bc9ec9f6037217334e0afae8c442a

SHA256
30727cef3c8c888b3f63601fd287cb5ec15f631680dd5fe83b1145f896902de4

SHA512
729b60cba41a233b102500fd948dc954c5859c461b88ce6f55746bd074ffbe524a1d298b63a1e0f728c4ab8912cde5b8345f0ec3d39a4540dbf73b37f214ad4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e543e4182f5dd80ac5e9af3ddeadc521

SHA1
ac2e909c2c05555be5793a99533125b15a80e77f

SHA256
87e66f5e0d463ef04e328f6d9e421bc7b80f88a1ec5dbd464414218dbdaaa070

SHA512
bfbdaa45dff7ed457b960b4a9216d3dcef540b311de5e684c26c92ba11cdad99d53cdcc1363f9fb2d34e301cd22eb4aca5c6f7dd2f0018641386ca81c73daf2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92b1178f673a7f6173b67547e19d9c71

SHA1
645cbb3a8744c4ac74a0c69a2922b1693efe1279

SHA256
e2d1c947e42c6f59e651aeab9bf6718ea0c760f736800c536c4b6ff86f6f3734

SHA512
cac587fb88598a81343a6f9c1a7f703e79811edf2637df19b5a450ec6ed6ab6e7b1db690f1292aafea1194889fd85882344c9c644545e37872932300eb1b7229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dde07313971d5736830bd63382b79912

SHA1
14f36e09bc3116e6b93f5fca745b50762cdd8144

SHA256
111784117dc655cc846f559f028fe46cb4c91f7f2dc32342fdfb331c5037fdb7

SHA512
ec41079db813e2779bbfb0d79e14f6bf9e7241f5e33fb3947cca12d39482b4fbc4622d0ecbb14151e194b3afd1c38e0b12099c42cbb826f2c388feae04604ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f08653ce6bb59fa2c732a3dcb61e02e6

SHA1
bf958cc227c76c8733a97455617fbdd86293c8fd

SHA256
7d0cebd24785202ee151bc45b9e937de2c3e31dfd3f27051f63f937f59695921

SHA512
b225566754c93571b8cbcddb73140844757f38f2848e8da9161a4191c5bb712a7e8476b9ad675bd75f6f3969517c81935be704fb1882992b7fb09b0580b952cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2dc373d89be79757ccf56084c39ac35e

SHA1
57ba32a6b050a6a96f442097068ff5961a46dd25

SHA256
e7e32fb3463587ff5a67819ebcba653717b22ca41591039969c0aca7b34c659d

SHA512
94ef483154cff5caa2ed5d0b113978c8016270c97bcf0e81462a0181836cd6ce3146ba7da6e3de8b9a443adb8e58fb4c634752b56522c470c32d97611cf49b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b447aff53e6aec6b661c556a4d4297f7

SHA1
9f00463c3a0f60b5be81d20714e7a409b9f15405

SHA256
9e94fd0ffc664c3121e28bbd1563a48ee87afdcaca6806ef0471b3163691cac1

SHA512
8aebe70808c798fbe612361b455d31b6586d8d97ea7d70dc80ad7cc7f59034b6e7d576a1f53a632ffef3bddb6147f9e73714795f479a419a421932cda7e6c84e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
778805032cd9d3f8b7d9333252a5bfd2

SHA1
5c9a4f9b52c6d41730c58b02c65409782d726206

SHA256
ec81365aea402ded3f2874b5c26a4c8b899cdd49c93eb5b9a00d6de89ac48ac2

SHA512
5a80a0deca96eb6ee658477c7da703c8cacf866a868b2763919dea1c6c3e13bf6c2470334a44b51f2cf0e7d07dc78e8d7e35171f2d075c422638f338e5a23d73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
500321265f45248a16aef4128190b02a

SHA1
80e13e7f7179a64458f24b715a5897b326bbc86e

SHA256
641b7d8e7a75341d88b949360c62a7cf49b414744cac7b1c5b1e8fe654b7c677

SHA512
255e113c8a39d608dd999db2d301016d43446144b868f15994926adc0ba05eb84a44718ae59ad06d8442b2326905430bc9f5c087c22ab7dd73ecf1ecdacee617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4a516460d24c7a4516ed3aa0a3535e5

SHA1
bd8b8219e1723b40da89fca2b7087b3fb08cab3b

SHA256
8f489a687a07e453aa3eacc7fac23818428d96c18da37a297e5c011df84b8cea

SHA512
551e2d906cfd3044b44a01eb08b4145f38a225837d1389935fd8e045474eb7596f1702f7b1d0569906ee46bd44206b1fd3f7a33a551b626643304d1279c7c71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15aac3afa78763492d098bdf25493f7f

SHA1
753493dc2c1e5c71528a86c0594c14201eb62b09

SHA256
0393073a993b34c91bfe28deac5517be7fde9915caba9b878b09e26dc0a4d93d

SHA512
08be965d8d4c6486ba3745f00d005edab7a66f63691b5664b1ea8af3378b9947c4d1919ce3b8a31107c67152c3f77db0e9ff1b86aac8882587f53aefac4fce74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79317e133ec22f324f651ffb1f915b32

SHA1
790a337d6f3052555dde5cb099b15da435efed5d

SHA256
7c35712846603707cb2330df58dcb93194ec1012b723e99b80840e45dbc00046

SHA512
7e87cfa42b22625fa9ca783db7ac15689c81544ebeb14c253cb1b61a49e0c0cfb3609d4c9ea52d521d0833a255300bb1bc0a7e7c9f951845e0807f3eec4a9bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fad641287033147058fc435478f23eaa

SHA1
fabbffcd43b469fc15ec09a6ec92e54169bf6537

SHA256
ca1737d1c6eeeaa655ce1f8b13d26ac38eccb961670b9a3c4efc1081e2c7b3b6

SHA512
eebf9bcfbc870d08a90e49a48431d6a62571ea99b319f29d49773372746a942a506c75a3b377bad2f482c02c71e577ce8f4a58c0ec051f0cb4766e1975d6a088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bef4e17ce782de175f402e9e1704f643

SHA1
1013f0eabe8407d4d8cae4dca010ce2bcd93f7fc

SHA256
65ee73f3ae7a92c7d2b8b4a2bcd99a09f5ec5a305dcd20a61fd8d89155cffdf9

SHA512
95ddd87879d39d2d3eb235fe0c886622fccc9c3e05fe4fe7f663f2c239edb8ae3fe4576c9348bd5c9ade4fc0d3874884bff6269d5921e9c0d670b60718408c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
857936012d09cfc4f14c572ae2438a33

SHA1
89a2a5461d84c48c78e1e82082d79e4b7ab5b124

SHA256
f69a1cd4130976dd267de8b43b88dd13f0bc224c998bd97ae32177d169f3e39d

SHA512
8bb6c02407a65cb2bf1172662dc17c24356a03b7f680a599fc9017b075217129cb7828a1a0e3b1864cc53846ad63b8c091d96366fd54fad125570d16ff171ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b81d5e8cdfe56c743556215dd741bb83

SHA1
785652274f1d8fe1850766571bab11fdffbf912e

SHA256
df849f007114f7bf6eeea0b86a1166c94c3c238379d89fa27e5175197464e7fd

SHA512
6031c8ba335f2ad6216e4b61eae438c1d83334ca21e580380011a6a90eb045de62808af4f88810571a520fa5a328e4fa35e0008160d6e3f97321bec24a48a877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d9294e38d0d3267139db941930f7470

SHA1
d71cdd67d0985fd490bfee12086753459128f77d

SHA256
2947b22c106dc6deb72f1996dd44b80f7aa4d114479e2e9cbfbb57730b646d71

SHA512
c3336cfc835c184a4127ab5844c2e3d7a3d385ef2c76b4b5758e83f060319889a0efcbb839fdcececb1e610e643b60ce0c4bf800e967184ce3ce34cd66792c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67cf15bbb8fa12109d0f263de0124334

SHA1
90cd5a6603fa6ddcfc640d375e903b6262213f87

SHA256
b39aeb2431c72c96a4268d8a5f94aa22d28b49a66c9066bca64d91ff3df50ab2

SHA512
b7172176531a5c6bc258c1303befbe67c51bab0908a53738b315f32fb2a057ed8fe7216eab4178d52744ea80c1a7e60da47a6b830803d58f1bc54158121f8b1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20ab1e3edfbcf0416682426690493681

SHA1
d3e4af0c767823ee643ebeaba953772e768c1fa7

SHA256
47140d9893880befd63b3a0216b31509ae5142af974f4f77635402b51adb0447

SHA512
45bbba5726de06948d6da73b8a570ce7f7f3738bb8fe798d22572a2f1866bd00a2e45d73b47174b5c7b1bfd1fcb5cfc4d57a79fd85e07d962968ce054b407891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad37f4fd69ff6cc05a88c23627f46e12

SHA1
3fb1d8683fd72c0bf2e76729793096fe0ef95246

SHA256
985573421388e87578a9ebd3e70983c5a0b36ce4890c4264bd254bde51f18ff6

SHA512
45663c790f635b2a29304e9e5f1270ac41e53d0bbb5242730fba4cfe05fbf5e6a7d150c1fa10327ecf58eea816fa7d7a89aba5dfa7a58f736a661237f1a40b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8D06.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8DF7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\cvvfakcvqtho.exe

Filesize
284KB

MD5
3615c9ef28ac6b885405ad433b338ce9

SHA1
8b39c75a87aba608976d6ebc5be6d511b82fd634

SHA256
0f5bfe270ccd6b20554570e407cc0490477030b4cbb3a991fb647810d6a75039

SHA512
5d94bb315e1a2f0dd3784c4ccced48f5cbf29d9a4fb776ad88e504fc9123e725a333af49e5ac453b21b3094941c546c5543ac9f8737917d9c9ecc035fc4e51d1

Download Submit
memory/328-5923-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1900-2090-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1900-8-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1900-5927-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1900-4911-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1900-5922-0x0000000004AE0000-0x0000000004AE2000-memory.dmp

Filesize
8KB

Download
memory/2220-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2220-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2220-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2220-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download