teslacrypt | 9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

Resubmissions

15-05-2024 07:41

240515-jjclfaff64 10

15-05-2024 07:38

240515-jgfkbafe78 4

15-05-2024 07:26

240515-h9jxrsfa2t 10

Analysis

max time kernel
65s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15-05-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Size

360KB
MD5

45193536497856842273bcf3ba3eed80
SHA1

9936812c27e92c8f7f7183ed3a8730ea1c6e167b
SHA256

9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332
SHA512

3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785
SSDEEP

6144:gZtBZh5vTOAWJx4u1l05Lpm+SemsrbK9XbgwJU2WWIBReISOuO8I:Qn7vSr4+sLwRnXbg4U2WWyN

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xmmav.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/669D7CFA5A31C98D 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/669D7CFA5A31C98D 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/669D7CFA5A31C98D If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/669D7CFA5A31C98D 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/669D7CFA5A31C98D http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/669D7CFA5A31C98D http://yyre45dbvn2nhbefbmh.begumvelic.at/669D7CFA5A31C98D Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/669D7CFA5A31C98D

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/669D7CFA5A31C98D

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/669D7CFA5A31C98D

http://yyre45dbvn2nhbefbmh.begumvelic.at/669D7CFA5A31C98D

http://xlowfznrg4wf7dli.ONION/669D7CFA5A31C98D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (95) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

xppofeqjyhpp.exexppofeqjyhpp.exe

pid process

396 xppofeqjyhpp.exe
4224 xppofeqjyhpp.exe

pid	process
396	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xppofeqjyhpp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\qrwybji = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\xppofeqjyhpp.exe"	xppofeqjyhpp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

45193536497856842273bcf3ba3eed80_JaffaCakes118.exexppofeqjyhpp.exe

description	pid	process	target process
PID 4920 set thread context of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 396 set thread context of 4224	396	xppofeqjyhpp.exe	xppofeqjyhpp.exe

Drops file in Program Files directory 64 IoCs

Processes:

xppofeqjyhpp.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ca-ES\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\id-ID\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\gl-ES\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+xmmav.png	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_ReCoVeRy_+xmmav.txt	xppofeqjyhpp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_ReCoVeRy_+xmmav.html	xppofeqjyhpp.exe

Drops file in Windows directory 2 IoCs

Processes:

45193536497856842273bcf3ba3eed80_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\xppofeqjyhpp.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
File opened for modification	C:\Windows\xppofeqjyhpp.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2787150420"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31106773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exexppofeqjyhpp.exe

pid	process
2172	msedge.exe
2172	msedge.exe
4032	msedge.exe
4032	msedge.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe
4224	xppofeqjyhpp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4032 msedge.exe
4032 msedge.exe
4032 msedge.exe
4032 msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

45193536497856842273bcf3ba3eed80_JaffaCakes118.exexppofeqjyhpp.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
Token: SeDebugPrivilege	4224	xppofeqjyhpp.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeBackupPrivilege	3644	vssvc.exe
Token: SeRestorePrivilege	3644	vssvc.exe
Token: SeAuditPrivilege	3644	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45193536497856842273bcf3ba3eed80_JaffaCakes118.exe45193536497856842273bcf3ba3eed80_JaffaCakes118.exemsedge.exe

description	pid	process	target process
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 4920 wrote to memory of 1992	4920	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
PID 1992 wrote to memory of 396	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	xppofeqjyhpp.exe
PID 1992 wrote to memory of 396	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	xppofeqjyhpp.exe
PID 1992 wrote to memory of 396	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	xppofeqjyhpp.exe
PID 1992 wrote to memory of 3448	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	cmd.exe
PID 1992 wrote to memory of 3448	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	cmd.exe
PID 1992 wrote to memory of 3448	1992	45193536497856842273bcf3ba3eed80_JaffaCakes118.exe	cmd.exe
PID 4032 wrote to memory of 4760	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 4760	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 1632	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 2172	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 2172	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 920	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 920	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 920	4032	msedge.exe	msedge.exe
PID 4032 wrote to memory of 920	4032	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

xppofeqjyhpp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xppofeqjyhpp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	xppofeqjyhpp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\45193536497856842273bcf3ba3eed80_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\xppofeqjyhpp.exe
    C:\Windows\xppofeqjyhpp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:396
  - - C:\Windows\xppofeqjyhpp.exe
      C:\Windows\xppofeqjyhpp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:4224
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\451935~1.EXE
    3⤵
    PID:3448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb09ff3cb8,0x7ffb09ff3cc8,0x7ffb09ff3cd8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,14871541318335527631,18211519014814358229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xmmav.html

Filesize
12KB

MD5
2d26551e5a0e9b0a5916a008dbb85ccc

SHA1
d6fab24347f2f540d120b99d5a92baaa9b6980e4

SHA256
8746f76cdb4c1ec8df9cb6adf32240334db073cea556af8e2c608fe466bba5cd

SHA512
3ca4f7214cead211a775e805b8103c19aea72810d2a5da944081a602e89cab23d2a02e993e3696d1eec9b1bda38b0b3c640e39e322a3b177ef287310c5f160d7

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xmmav.png

Filesize
65KB

MD5
32bba077823299602b6e5a0adf551655

SHA1
87b2a1efcd7cf1a367a04e212740a47a74b7e822

SHA256
e83ce611dd2a5b6482cba2cb78ae4a7b3703d3545822344d879d3ad584df406d

SHA512
9d6a3c15bfe1b18c9b2d4c440697c9332facec1e98fdfc3a7fa00527f9ad50ab4a420d04de14598d72609d9ed3a04a44328e1641f368c5a8785be801087d9ccf

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xmmav.txt

Filesize
1KB

MD5
675aac1ee6d3b3bd65e1da8d8ca9e908

SHA1
423606e34ef0967f48efc44eb1a8a76c0399d7dc

SHA256
82f83b982201a554667ba904cd30e740d58387d933296caf175de507af09e9b5

SHA512
0cca25bfa1552322a4656bd33db20657d7bbef0ae5badaf34d2b5260554a536855533831c008ed8f6ee5fa3ef6aabb3b8c7cd0633bab3352ec924ed3dc7ae0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a34144c8e8e750e9a4aab4a15cfb1a30

SHA1
861cd77fc7d4693c00de84ffb5897f6556b46d9f

SHA256
53dcbda9ecd6f34b0a7043a9f7bd46802c959d35f7a05dba7c35d85724aed228

SHA512
21a148127c3a0b3f5593a30a3ce705072cb54dafd628efa79b4f0e4a44e9c9b2b818a2ce2242110040b9181c357f16d37ce66db895ac4df54ebb329d940e623e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0ed466b745ee8687f315796b2513070

SHA1
1fba775dcbf27b8f0ef98cd535361dab7ec57ca9

SHA256
4fe19c6d14a3372cdfde53cbd901c4bdf5b06ea5128c91da47508ba6553f0abf

SHA512
157d8fa0e526206c63bf7ef853c3501351cb9e270376ee3fb7bfac9ba82aa7e103844d3990f1cfd9465fac231d5f922d2983dd88a90c2fb722f7c361aadf861f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cfc1640a4b2a862d07df84e4603e8051

SHA1
a59647c4d3df657a6abd1e09dff75862dcb555b9

SHA256
2994688c33d24132374cc0c00d4dfea2e7f13c82f1cdec955a3986933d6f92be

SHA512
36213ef226dc70ff8ce89782ee80236a9aee45b3cee0913e35195ff8048d51f816a889acdbd18700c96e43b7ce1f5b28654f95d7292155dbe6524aee30d60442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Windows\xppofeqjyhpp.exe

Filesize
360KB

MD5
45193536497856842273bcf3ba3eed80

SHA1
9936812c27e92c8f7f7183ed3a8730ea1c6e167b

SHA256
9bf59f52f58052e0644fc5d0a8e9efcc8b7db586a365bd8611228c42ed4d0332

SHA512
3ea4cb9916f01b00d7dd73fef6a9006d1c521a225037a44a136991d98db1a0abb74fbc2a09dd2905e2404ca2956382dbb274e346e84be99bdb0377a3ca44f785

Download Submit
\??\pipe\LOCAL\crashpad_4032_YUXJTWBUNTOEKCWM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-12-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1992-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1992-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1992-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1992-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4224-110-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4224-112-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4224-115-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4224-116-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4920-0-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/4920-4-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/4920-1-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download