teslacrypt | 9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

Resubmissions

15-05-2024 07:41

240515-jjclfaff64 10

15-05-2024 07:38

240515-jgfkbafe78 4

15-05-2024 07:26

240515-h9jxrsfa2t 10

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Size

360KB
MD5

45193536497856842273bcf3ba3eed80
SHA1

9936812c27e92c8f7f7183ed3a8730ea1c6e167b
SHA256

9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332
SHA512

3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785
SSDEEP

6144:gZtBZh5vTOAWJx4u1l05Lpm+SemsrbK9XbgwJU2WWIBReISOuO8I:Qn7vSr4+sLwRnXbg4U2WWyN

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lojlm.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD457E744B4F9E99 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD457E744B4F9E99 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/FD457E744B4F9E99 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/FD457E744B4F9E99 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD457E744B4F9E99 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD457E744B4F9E99 http://yyre45dbvn2nhbefbmh.begumvelic.at/FD457E744B4F9E99 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/FD457E744B4F9E99

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FD457E744B4F9E99

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FD457E744B4F9E99

http://yyre45dbvn2nhbefbmh.begumvelic.at/FD457E744B4F9E99

http://xlowfznrg4wf7dli.ONION/FD457E744B4F9E99

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (415) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+lojlm.html	trkauipglhte.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	trkauipglhte.exe
2820	trkauipglhte.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sguuyiy = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\trkauipglhte.exe"	trkauipglhte.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2708 set thread context of 2820	2708	trkauipglhte.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	trkauipglhte.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	trkauipglhte.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_ReCoVeRy_+lojlm.html	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	trkauipglhte.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	trkauipglhte.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_ReCoVeRy_+lojlm.png	trkauipglhte.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+lojlm.txt	trkauipglhte.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	trkauipglhte.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\_ReCoVeRy_+lojlm.png	trkauipglhte.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\trkauipglhte.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
File opened for modification	C:\Windows\trkauipglhte.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99E65041-128C-11EF-8A04-E6AC171B5DA5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000005611c26eb4cbc8fff19e5001795b78a3f7d18030207c14e4ddb06d3fc2faa59a000000000e8000000002000020000000fde7e89a10cb367e0d74e9e3d6d17884b5fcaae6abbe9600058aa8e1b5a012ea200000007897ae3bb3dbc91c8be93e670e979080723d8f1fa29cfc016c18f5168f680f8140000000a3a2e0e5e4578111b762d4dd1aee9f67c39fd311d3b053628880c5407e6c47bf210f111ecf86c502a2e25e89451a8e76436b9607126fac43b3c62908d3936dfb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000288b1b6a46d8620853596e3e47e43ac9aa9c92bfe376d4ff18a3fd85702274ae000000000e80000000020000200000007ecfcdb60fb96ce47b88a8c47292723b334add9b231ff27749642dcd421e97b390000000b830407cab135ba020a71b2903e9fccbc8644a27ff6a0bfe45960a97ea2bf824074271f61944fc5820a7cda7303e85ab04b13533575845fa5eff28e1c87f93efee40b13745e0b09e820268661db72186218b3115e5a5f6b976cee78f2bfd14178365f97d3923c069076ef4339156fd181ff20bd719aa88e0c566fda146816df837dd0bfa8f82f593b9adcdce9630655c40000000f0be0bdbf0465fe37c33eb8948e5dc302ed49657238d2885174361b31ada09164e02dd2fda466c0e1542e3f3c9c4285a310653b17adca1104f5de31e9ed2ad06	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d05d6e99a6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2084	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe
2820	trkauipglhte.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	trkauipglhte.exe
Token: SeIncreaseQuotaPrivilege	2344	WMIC.exe
Token: SeSecurityPrivilege	2344	WMIC.exe
Token: SeTakeOwnershipPrivilege	2344	WMIC.exe
Token: SeLoadDriverPrivilege	2344	WMIC.exe
Token: SeSystemProfilePrivilege	2344	WMIC.exe
Token: SeSystemtimePrivilege	2344	WMIC.exe
Token: SeProfSingleProcessPrivilege	2344	WMIC.exe
Token: SeIncBasePriorityPrivilege	2344	WMIC.exe
Token: SeCreatePagefilePrivilege	2344	WMIC.exe
Token: SeBackupPrivilege	2344	WMIC.exe
Token: SeRestorePrivilege	2344	WMIC.exe
Token: SeShutdownPrivilege	2344	WMIC.exe
Token: SeDebugPrivilege	2344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2344	WMIC.exe
Token: SeRemoteShutdownPrivilege	2344	WMIC.exe
Token: SeUndockPrivilege	2344	WMIC.exe
Token: SeManageVolumePrivilege	2344	WMIC.exe
Token: 33	2344	WMIC.exe
Token: 34	2344	WMIC.exe
Token: 35	2344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2344	WMIC.exe
Token: SeSecurityPrivilege	2344	WMIC.exe
Token: SeTakeOwnershipPrivilege	2344	WMIC.exe
Token: SeLoadDriverPrivilege	2344	WMIC.exe
Token: SeSystemProfilePrivilege	2344	WMIC.exe
Token: SeSystemtimePrivilege	2344	WMIC.exe
Token: SeProfSingleProcessPrivilege	2344	WMIC.exe
Token: SeIncBasePriorityPrivilege	2344	WMIC.exe
Token: SeCreatePagefilePrivilege	2344	WMIC.exe
Token: SeBackupPrivilege	2344	WMIC.exe
Token: SeRestorePrivilege	2344	WMIC.exe
Token: SeShutdownPrivilege	2344	WMIC.exe
Token: SeDebugPrivilege	2344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2344	WMIC.exe
Token: SeRemoteShutdownPrivilege	2344	WMIC.exe
Token: SeUndockPrivilege	2344	WMIC.exe
Token: SeManageVolumePrivilege	2344	WMIC.exe
Token: 33	2344	WMIC.exe
Token: 34	2344	WMIC.exe
Token: 35	2344	WMIC.exe
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1340	iexplore.exe
2884	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1340	iexplore.exe
1340	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2596	2008	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	28
PID 2596 wrote to memory of 2708	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2708	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2708	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2708	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2792	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2792	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2792	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2792	2596	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2708 wrote to memory of 2820	2708	trkauipglhte.exe	34
PID 2820 wrote to memory of 2344	2820	trkauipglhte.exe	35
PID 2820 wrote to memory of 2344	2820	trkauipglhte.exe	35
PID 2820 wrote to memory of 2344	2820	trkauipglhte.exe	35
PID 2820 wrote to memory of 2344	2820	trkauipglhte.exe	35
PID 2820 wrote to memory of 2084	2820	trkauipglhte.exe	43
PID 2820 wrote to memory of 2084	2820	trkauipglhte.exe	43
PID 2820 wrote to memory of 2084	2820	trkauipglhte.exe	43
PID 2820 wrote to memory of 2084	2820	trkauipglhte.exe	43
PID 2820 wrote to memory of 1340	2820	trkauipglhte.exe	44
PID 2820 wrote to memory of 1340	2820	trkauipglhte.exe	44
PID 2820 wrote to memory of 1340	2820	trkauipglhte.exe	44
PID 2820 wrote to memory of 1340	2820	trkauipglhte.exe	44
PID 1340 wrote to memory of 1324	1340	iexplore.exe	45
PID 1340 wrote to memory of 1324	1340	iexplore.exe	45
PID 1340 wrote to memory of 1324	1340	iexplore.exe	45
PID 1340 wrote to memory of 1324	1340	iexplore.exe	45
PID 2820 wrote to memory of 1496	2820	trkauipglhte.exe	47
PID 2820 wrote to memory of 1496	2820	trkauipglhte.exe	47
PID 2820 wrote to memory of 1496	2820	trkauipglhte.exe	47
PID 2820 wrote to memory of 1496	2820	trkauipglhte.exe	47
PID 2820 wrote to memory of 3012	2820	trkauipglhte.exe	50
PID 2820 wrote to memory of 3012	2820	trkauipglhte.exe	50
PID 2820 wrote to memory of 3012	2820	trkauipglhte.exe	50
PID 2820 wrote to memory of 3012	2820	trkauipglhte.exe	50

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	trkauipglhte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	trkauipglhte.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\trkauipglhte.exe
    C:\Windows\trkauipglhte.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\trkauipglhte.exe
      C:\Windows\trkauipglhte.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2820
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1324
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TRKAUI~1.EXE
        5⤵
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\451935~1.EXE
    3⤵
    - Deletes itself
    PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lojlm.html

Filesize
12KB

MD5
7b02d24c6e7782b45f42955dac38bced

SHA1
f6e4e448aed8149c9b0c63f45eac8d2e1a4f1f07

SHA256
a068c97fdf2ec96d30c93d2a45fb0308063a5c504e355d1e457c2555bb5d4d80

SHA512
e1740f8ae2173933ce89da42fd86cb7b686d26a45fffdc3333229ba81bb97e06907a510b57895841c234ef3219a222a47be5854a2f5d5bad8ee4458a772d4627

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lojlm.png

Filesize
64KB

MD5
47c3175d755b5eccea0d0cf8b2c34aa5

SHA1
554c90dfe7d81b26fbd1dce4ff0e3dbe8f0b6050

SHA256
b8e83a440e2c119379f82298ac66f9917e7a027c02ad642e84850536c4943321

SHA512
986ee0a36429eefd6a8f49d5ce1086fdc61c5ca120d5ab88b5b2f45ae385d6d44b87cfd9dea9495855e45011581f91323352870450e49a8a122652aa65b37528

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+lojlm.txt

Filesize
1KB

MD5
58186fe7387250bddfe77fbdc53c9788

SHA1
d2b9e4f19dd1aafc5c7c29af7e868da4ea691a14

SHA256
62859300aaf550951e0b7712904c86e28aee1f3273c7a44df3bbfa5a1f965ba9

SHA512
6c5833c966203e3860f3dd01c8b12ea8daba61946917b9d6b6c943477e4866fb2a82fdbe737afa2bebeaec3e9aa6ff3abacc031847fa88739e6a2418421b06b3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
d0de82b06779ff3fe816d84542c218e3

SHA1
d0b357db82e1a5e4c13484eec765f775a7438ab4

SHA256
f0fb9c18a4ffd473b0e94e3a2955c2aacc21e635250841ec8efd9d4c82c0bcd2

SHA512
27bee4aefc598c0447c5e2d7e1288c4f57b9cdf45cd3e52ea223fd93c591298cbead63bd3cd0c4eee61027a9cbe85996edd19bc89d362ee3475f8df759d0cf38

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
196e48b5a008b2f2d9a21da2770572b6

SHA1
75fba79b9a03fd4bc369f28e71c2df0f79c2d053

SHA256
9b5c3b735fc9a992ee069eb14c8bbfa52f0e57c2e0e658e56f83878e41fb5a25

SHA512
ae1994c7e1d66741881fd199ec8ba70ec39095b20b6938c50cbe5e6f9f358a1baf85649d9bc5a1d385d4552c461c4c56e0f7d3cd87b319b04b9f4f7a95e9abbd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
c0e31137240c4098a7308111c804930f

SHA1
fd21a8bc154732bc1bfb025680214175f4461951

SHA256
88964f3527b99b8e91c56596c742c861d93a3fe7a511bc4f5b5dbccfca4d7b6d

SHA512
0420226ae965966851c1b92d27b35aaf784761707acb68fbee7e83a6e50003166c9abe89c9daff6b2d9f3a5421be30a4c6adf6645a4e92665624cb3a82a5295a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c443f10a252dbcebe2f05c689f19f67

SHA1
0136b3601507f9ef849074f60dec959b4bdec48b

SHA256
8e9ed323e3c255fa9e3c153ad97bd199f07e3ec92a087994accf46c71f5e0a9b

SHA512
ba9f6a10ab5df71b9561634bb6078a79503eb9b2cad9e797ebd094ffdde81782d33adcb45c0d81aa72d6366e0e8ee9973c616acf4321d9ca641601c168d18158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9baa784ad9d7e4a9a9cf0349f558fdec

SHA1
577179011fea58f84781713ed98908e7c84859d8

SHA256
abdfb3c206a4c6f2ea43a5d275bf624cce94bfb260868b873bc4c167e91e65d9

SHA512
0ad8f854c6eae365672ebc6584f2293a5ae1a5e38ce66cb9a4ac36e729c570ec971f95ae49dd675ad4ab72289294e0226898f2e1378eee09681505ab49e807eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f33314c8fb809e333d727251dfd7439c

SHA1
37f4800caa48fe4f04e2179db310a341ee895c1a

SHA256
3a887d40fa9f0a5741138172fdef638040828eee3df0dc4a13e737c77a3f38fb

SHA512
087231928808063ac20ac388657eaf7ebd31732627bc4456a2fcaa651f1956b2fbfd02dbd448f799f679b80aefb1357ed3315335b23a3a27b85aab0f06deb5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a86fa81c245e18fb86d22e2006dcca24

SHA1
9c65b8bb756e2b2314d8ceb28ba3aedfa898b315

SHA256
95433d09025de4e34e69f3b1ab5e5e95696575aa3e26dc5e451a18cf696113e3

SHA512
d546ec65557974e4b7f4859c656e330c2a441c1904c33386fdc599a7fc7541d5762a34090f56496af50856ee9500ac4e8698ae09f814dc8231816f94238ab2f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af482fbc394c6dd00711e54f49972c17

SHA1
dde095fd7558ed7ed032de58b6b7ac03cd31131b

SHA256
83d8a02e2bdbb37829acfd3cffc58841e986c36f3e342893d6957c048bb8234f

SHA512
751c8cf758e4fe2fb05233da4e442adf75ed16fee773b73251b78b7a8b054034b065eae583aa572aa5a9485200818d917cd574b9d7d4f257d7d095005740c577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7a39715a97388039b4c8ae0d283a2a7

SHA1
102fec56011fe96b7c87189f07cfdde861ed63b8

SHA256
b8aef7ce6dcd46cf627decb8f59ecc5cd3f46f1bd7601cf89f506ee5feba6483

SHA512
c025a352b40607254710fa2dc6e2087064ec01148fe751a29cefcac31c5e70679d1e7ab4a73482319782c2bf37bae2e34d64565eea50d1e6c60989a0dd4688ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4907dcdf3b602d90d59ea12c9e2f548b

SHA1
ede80685a1156dc49de76dccf4d80b20bea63926

SHA256
2a5c39330c3919236eff8dfb3265e29feb8a1f692143e908a5fceb193256d91c

SHA512
1c659ffc83909893c2a5974c50d935c9b4d7b4a07db1e96972de097fbd1369effa69627b08f6aea236c6c8dd7e87004d94a5c7bd0429a9473fcea7a5cb8474bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89cec8e0e231db71a5a0035ac4147a3a

SHA1
d7f25be477b65affe33224740974154b934db31a

SHA256
26eeb79670a48d551c6e0ff45498edd24dd8196d44109929bd5bbb7a27399444

SHA512
233bb5f09adebaeb5e52e4283ea94cecc122357ad51634edd8730c7b348525bd0f3e3fbd942d3fb568b0946970f05454a49d629fa894e3a4c88dfff86ace6548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41d3cf466ac2efbc3fdfb182a20491e5

SHA1
113cb459a6032f5ed374556224f5d1b3d54abd04

SHA256
2515cd1df4d83787ea5541ccd53b6c8814f43ccce9e8bc8c19d0057e36251072

SHA512
478f45a431ef4cd597868ebef369a8109e238575fac36a5043bacfa08e698762bd756c94bd92d534f05dcde63f1a449612f2d5e1e395f06c5469a2f67e09d44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab76B9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar77AA.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\trkauipglhte.exe

Filesize
360KB

MD5
45193536497856842273bcf3ba3eed80

SHA1
9936812c27e92c8f7f7183ed3a8730ea1c6e167b

SHA256
9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

SHA512
3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785

Download Submit
memory/2008-0-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/2008-17-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/2008-1-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/2596-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-30-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2708-31-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2820-5691-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-6005-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-6016-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-6015-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-765-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-6011-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/2820-6022-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-2583-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2820-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2884-6012-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download