teslacrypt | 8d72251b37fd260a51fe3675a3dacaa4042d14ee9969bbef71820d838b13622e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe
Size

336KB
MD5

45f0b5a24298fa780f9eb39244d504a6
SHA1

d2768bebe7d0df40f89ad202b46a560f32848db7
SHA256

8d72251b37fd260a51fe3675a3dacaa4042d14ee9969bbef71820d838b13622e
SHA512

ce9b39d8653a994034463b60a271c1b143ac7c53e09d95dc977855a746bc8a0912244d95866ed1b3b52c037e08717c23830940443e6abba65e95c5fa99d44d0a
SSDEEP

6144:DdVu4o9uXRkondkyLVLcHBf0CNI4W8WOAHAU9M8NVgEzeJgF6vE8O5:xVuzaRkondlVLchfazOAgU9MQbzeJe

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+urttn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/DD801F9E9FD548C5 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/DD801F9E9FD548C5 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DD801F9E9FD548C5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/DD801F9E9FD548C5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/DD801F9E9FD548C5 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/DD801F9E9FD548C5 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DD801F9E9FD548C5 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/DD801F9E9FD548C5

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/DD801F9E9FD548C5

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/DD801F9E9FD548C5

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DD801F9E9FD548C5

http://xlowfznrg4wf7dli.ONION/DD801F9E9FD548C5

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (417) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1956 cmd.exe

pid	process
1956	cmd.exe

Drops startup file 3 IoCs

Processes:

chvsalktelow.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+urttn.html	chvsalktelow.exe

Executes dropped EXE 1 IoCs

Processes:

chvsalktelow.exe

pid process

2456 chvsalktelow.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

chvsalktelow.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\hshtdurrtjrb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\chvsalktelow.exe\""	chvsalktelow.exe

Drops file in Program Files directory 64 IoCs

Processes:

chvsalktelow.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows NT\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	chvsalktelow.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\MSBuild\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css	chvsalktelow.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css	chvsalktelow.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_RECoVERY_+urttn.txt	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_RECoVERY_+urttn.png	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\_RECoVERY_+urttn.html	chvsalktelow.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	chvsalktelow.exe

Drops file in Windows directory 2 IoCs

Processes:

45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\chvsalktelow.exe	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe
File opened for modification	C:\Windows\chvsalktelow.exe	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000008e5fbcf77140b19896736e4957743e87e6fc2ae9e84840f86f5818224f5f6a29000000000e80000000020000200000007e6896f5b2bae8a37c0dab87bdaf4c633c71ed8f602dcebe7d126080f1af285920000000a8b2569acec96db7e61778aa375c51a1def412ee795d80a6d2026e5b77eb604e40000000d48248f273c3bc53a39fde9d493f928397c77428a8a97b3bf438bdb51770b4eb86530c9d4d0380a43cb30d8bc6bd92fbafa94f3ddc8776353f2833a591a5d4f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000002f9bd031b73ae9ac65932209ead8fdcf5cfd521cb93ee8e94c278cb14018a1c3000000000e8000000002000020000000013a0b6020d946e4bfe13a5eeadc826e8c894bc9c0ac052ea5f70ebfe680ec82900000008901b97b17206e1dc6066a73850f29b3c50ffc20f585bc872ef39bc9b6e0bbab816da758e3095e6c7b0381c67e4236d4a60ddbbde5d11e30c9517cbdcb454af47a776144bc52ec9ce4681226aaed131816f5fcc4143bfae6a70f74252418138e5973006270655f895f1b971f345d41fd6d4e3b67fd53a088abbaec9154d129bcb49b5c90a57ba4bf82df61d0aec353e2400000001d270aaa4480fc739fe0f00234d75167e5bd05c8ebce8e5385fd6f0104efa912586bf6a177acf611eaed97402133429f704b12a96730557355ca2ebaaa96d3d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FDC7FF1-12AD-11EF-AE27-76C100907C10} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10715654baa6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421934053"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1996 NOTEPAD.EXE

pid	process
1996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chvsalktelow.exe

pid	process
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe
2456	chvsalktelow.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exechvsalktelow.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe
Token: SeDebugPrivilege	2456	chvsalktelow.exe
Token: SeIncreaseQuotaPrivilege	2660	WMIC.exe
Token: SeSecurityPrivilege	2660	WMIC.exe
Token: SeTakeOwnershipPrivilege	2660	WMIC.exe
Token: SeLoadDriverPrivilege	2660	WMIC.exe
Token: SeSystemProfilePrivilege	2660	WMIC.exe
Token: SeSystemtimePrivilege	2660	WMIC.exe
Token: SeProfSingleProcessPrivilege	2660	WMIC.exe
Token: SeIncBasePriorityPrivilege	2660	WMIC.exe
Token: SeCreatePagefilePrivilege	2660	WMIC.exe
Token: SeBackupPrivilege	2660	WMIC.exe
Token: SeRestorePrivilege	2660	WMIC.exe
Token: SeShutdownPrivilege	2660	WMIC.exe
Token: SeDebugPrivilege	2660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2660	WMIC.exe
Token: SeRemoteShutdownPrivilege	2660	WMIC.exe
Token: SeUndockPrivilege	2660	WMIC.exe
Token: SeManageVolumePrivilege	2660	WMIC.exe
Token: 33	2660	WMIC.exe
Token: 34	2660	WMIC.exe
Token: 35	2660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2660	WMIC.exe
Token: SeSecurityPrivilege	2660	WMIC.exe
Token: SeTakeOwnershipPrivilege	2660	WMIC.exe
Token: SeLoadDriverPrivilege	2660	WMIC.exe
Token: SeSystemProfilePrivilege	2660	WMIC.exe
Token: SeSystemtimePrivilege	2660	WMIC.exe
Token: SeProfSingleProcessPrivilege	2660	WMIC.exe
Token: SeIncBasePriorityPrivilege	2660	WMIC.exe
Token: SeCreatePagefilePrivilege	2660	WMIC.exe
Token: SeBackupPrivilege	2660	WMIC.exe
Token: SeRestorePrivilege	2660	WMIC.exe
Token: SeShutdownPrivilege	2660	WMIC.exe
Token: SeDebugPrivilege	2660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2660	WMIC.exe
Token: SeRemoteShutdownPrivilege	2660	WMIC.exe
Token: SeUndockPrivilege	2660	WMIC.exe
Token: SeManageVolumePrivilege	2660	WMIC.exe
Token: 33	2660	WMIC.exe
Token: 34	2660	WMIC.exe
Token: 35	2660	WMIC.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe
Token: SeSystemProfilePrivilege	2948	WMIC.exe
Token: SeSystemtimePrivilege	2948	WMIC.exe
Token: SeProfSingleProcessPrivilege	2948	WMIC.exe
Token: SeIncBasePriorityPrivilege	2948	WMIC.exe
Token: SeCreatePagefilePrivilege	2948	WMIC.exe
Token: SeBackupPrivilege	2948	WMIC.exe
Token: SeRestorePrivilege	2948	WMIC.exe
Token: SeShutdownPrivilege	2948	WMIC.exe
Token: SeDebugPrivilege	2948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2948	WMIC.exe
Token: SeRemoteShutdownPrivilege	2948	WMIC.exe
Token: SeUndockPrivilege	2948	WMIC.exe
Token: SeManageVolumePrivilege	2948	WMIC.exe
Token: 33	2948	WMIC.exe
Token: 34	2948	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1452 iexplore.exe
784 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1452 iexplore.exe
1452 iexplore.exe
1404 IEXPLORE.EXE
1404 IEXPLORE.EXE

pid	process
1452	iexplore.exe
784	DllHost.exe

pid	process
1452	iexplore.exe
1452	iexplore.exe
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exechvsalktelow.exeiexplore.exe

description	pid	process	target process
PID 2052 wrote to memory of 2456	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	chvsalktelow.exe
PID 2052 wrote to memory of 2456	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	chvsalktelow.exe
PID 2052 wrote to memory of 2456	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	chvsalktelow.exe
PID 2052 wrote to memory of 2456	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	chvsalktelow.exe
PID 2052 wrote to memory of 1956	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	cmd.exe
PID 2052 wrote to memory of 1956	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	cmd.exe
PID 2052 wrote to memory of 1956	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	cmd.exe
PID 2052 wrote to memory of 1956	2052	45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe	cmd.exe
PID 2456 wrote to memory of 2660	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2660	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2660	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2660	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 1996	2456	chvsalktelow.exe	NOTEPAD.EXE
PID 2456 wrote to memory of 1996	2456	chvsalktelow.exe	NOTEPAD.EXE
PID 2456 wrote to memory of 1996	2456	chvsalktelow.exe	NOTEPAD.EXE
PID 2456 wrote to memory of 1996	2456	chvsalktelow.exe	NOTEPAD.EXE
PID 2456 wrote to memory of 1452	2456	chvsalktelow.exe	iexplore.exe
PID 2456 wrote to memory of 1452	2456	chvsalktelow.exe	iexplore.exe
PID 2456 wrote to memory of 1452	2456	chvsalktelow.exe	iexplore.exe
PID 2456 wrote to memory of 1452	2456	chvsalktelow.exe	iexplore.exe
PID 1452 wrote to memory of 1404	1452	iexplore.exe	IEXPLORE.EXE
PID 1452 wrote to memory of 1404	1452	iexplore.exe	IEXPLORE.EXE
PID 1452 wrote to memory of 1404	1452	iexplore.exe	IEXPLORE.EXE
PID 1452 wrote to memory of 1404	1452	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2948	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2948	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 2948	2456	chvsalktelow.exe	WMIC.exe
PID 2456 wrote to memory of 776	2456	chvsalktelow.exe	cmd.exe
PID 2456 wrote to memory of 776	2456	chvsalktelow.exe	cmd.exe
PID 2456 wrote to memory of 776	2456	chvsalktelow.exe	cmd.exe
PID 2456 wrote to memory of 776	2456	chvsalktelow.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

chvsalktelow.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	chvsalktelow.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	chvsalktelow.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45f0b5a24298fa780f9eb39244d504a6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\chvsalktelow.exe
  C:\Windows\chvsalktelow.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2456
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1996
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1452 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1404
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CHVSAL~1.EXE
    3⤵
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\45F0B5~1.EXE
  2⤵
  - Deletes itself
  PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+urttn.html

Filesize
11KB

MD5
bcd1d7ed90fef4a0c87c48077d08d52a

SHA1
5fc90e5e899e9b0e1fbf10cfc8d305bc1651f009

SHA256
2953d49e38c036aa236b8a71ba8b6818590bac4311be62ae00f799e240704403

SHA512
6126d01e8e0abf682dcd112b03692e807c9314a737f05c3abe8ad4f5793f6cd2cccc5442f990c1f57e10dd096489dd2c70d40680ffc26f724fced8caa2847bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+urttn.png

Filesize
63KB

MD5
2ea59fd8e66f515a31283c30dbab37b9

SHA1
3ae76e4f16a61a11da33fec1592cfcef8da7a9b7

SHA256
d685d6ec69e6b3599d498b97bdb5e2d47649caca4471b67a9580ded82240e8b9

SHA512
03a37636f82e64f6587f870c714ed3a0cbcbb58f5f04027a7e747136380295abb6d46388511d8f87c74d052fc4f8b3775463917b4954944299660ebc1fe220f0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+urttn.txt

Filesize
1KB

MD5
9394a30253c91cfc23e802e5ab4ea5fc

SHA1
999d67add432685b3d87cb320dd406a84452fe84

SHA256
68be66f995981b52e2126365becc8bf0cf688977f824c8de0fffde222b01a3f0

SHA512
dc3f6026af3668611de998e97dab1a544999a1366777258935107e0b6c11b9d9346084219acc5793aad1ce7eb7c96e91f152f44562dd4dbec67bec2b9c4a8feb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f90d9082bf3f47f2fecfb0f909bb895c

SHA1
0692c849f25985d6e641c19fd72197a09bcddf7c

SHA256
d9afe8856704d2b9899c3d89b997d20ef4089e2cd896c44b2ae0daf9d0a34b89

SHA512
b67c9563e8f66093c41fab12e2468319f51a4f9e482329b80f55c88bde6cc355a0cfe2b17f768b982f8f42dc87659913b275b0215f25ac6598fa1fbb69aba392

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9b3697ea3308e5343bf50039f59a103a

SHA1
0446ac1e158e9928c8ca3ecfbdf87edf057da165

SHA256
12ee915b24137d10e052ca904f0ef2968c9a711128e51bd76505e9c17ae6d88c

SHA512
57b713d958b6af7e19ae87fefec9e30b9ef93e7e1ea59bc0984dc62dab636f93aab69fc0ca19c0f74c2cc9db1ab629916a4880a7e2ebca9556b26e4d4e5f9f3d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
a1510f394ad48152f16dc93fe6926917

SHA1
9c37f09e5f9e1bb02cdef032bda883122fca9678

SHA256
c5590b3f7a2385dbafed3135fe0d293e039041cd4f54f68f88e69cabafa214d1

SHA512
e57e0fccb2b1137eb14a23f955ef68df355bad46e5035d066b3d0cab1fe2dc89295cceb7651f4f19e7a955fa51ca8181803151043adf04c84c6f4496db2f56c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44946e28741dd2ddd06f65f499562734

SHA1
90b88eab8671cec466ee5605720e5740b13ddb7b

SHA256
af960b4fa9229ef45ed81575dc46176d18c471fbcd065e29ea133c01ca159017

SHA512
b274e2b7ae763da5e40c4d68c2b4b240da680cecf68cb1a701aa27ea2b43b0c83c6d2c2a546387a69715487b50bb16cd727d3842791b8de7a8345cc8f32adf88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f34d213b945e13c1dbfb309232ebd76

SHA1
572966104932855337c68323f91933f5e57ed7bf

SHA256
1d7afb2930b026cd21f799c755dad4d44cbfb92cf34556129a7c1ef6f01d65af

SHA512
86b61908ff362663fb9dbef889c21bebd0160601a1538b1734aa2f7c4c05f8dce32e14192f12975375f77c99b20b0c091ccd136a369d1fa30f7dd9833571dd24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a6ef69a0d570731a2d85f73c9ef1bbd

SHA1
e40afba2dc6875f3e47474f88b132d44e9418999

SHA256
b049598430351b0f141e02d831570696d01b5aad7600eb9159b9bebdde9663af

SHA512
f6ab81ddee2bfbaddc565fa04d4bb3f66c693c77ac30d357489f6aabdb7467e8401909c080acda04e899e3aef0f464de18ed0569e75788e729dfe4db67ca235c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
785c4cd9a0100162cfd1636f842ef3f7

SHA1
ac53a0fac891b4f8dbd58e17ba84d80f13c610c0

SHA256
a6250bfeeb04fddc97a012044114f07fcd65fa38a6a5db06522518e99cf7205f

SHA512
a0a881c8f74f890b6f13796923cb61e33af50b94d7a2190bdad4f9e04050a10c58b24462814634cf2386ea2a99fdd52f2a62ef6ec048edea29b53c76fa448317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dbfc51802233a3af14a95e90a4cdc92

SHA1
9c1a9104f73084de240227d56ddb25decfb4918f

SHA256
c3fd7ff72859d89589b8246496380297333811d2ca3adb71bc56a6fbbea2520d

SHA512
1c55348cf6ff2e1509dab0cf8c49c2e0010b555895d482730b4e386241fae6faa9565cf606fd1c63c6e4ff4c66428ee65f829d8504c222aa48bd2edd485d8e0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e9a439c14cfe3a528dfbf9280460fc3

SHA1
f0744af1a8cc8831672aa0986f8128726437b9c5

SHA256
897c84e339c4e68478d6b9290b1b594f27a0c9f3caeb28cb5d196dd38db86e27

SHA512
8be9df435313adf996c42ed6b8413cd23a0af7c5c31eea57630cde53e5cc6f8b9d36bcafd7a6167d5e9637e1471294c49a5173538601a61be11fbbb6d95958c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5f930292defd1f46d42fffc8fb72248

SHA1
0a14db73dc889cc6e2ae702a3c973755a79c3f0f

SHA256
8880f8a2c8c8463764e8dc0942ccdbf9b146e9149204dde0d4165a8295222fdc

SHA512
f8e7c6ea0576057b5f478d56db7e2fc9f989b64d884c4a43a376a2dad6e84fb7a6e6b66d6060744138c831599718fd1d64fe8410f47eb05101078bfc967ad970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e36bb345e1af618aaebeafee5e1d939b

SHA1
ab64c5bb98eed20c994f3aabdc5542484a640b5a

SHA256
6fde2a4d8889b2005fa8c4f5d648dee8f3a27c5d8e54de0bc1a071b65b1d2cbb

SHA512
f1237423c2db9142315ea4c03f581de7f7c4efd9bfbc1f1487ea42f49068fa6021293c59609099e413caefd4ab8a19b8cd0beea1fa63acfd61c04bd99a30125b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f49f0f536c8e1cfceee9f981781befba

SHA1
0e8f84b78e811606f904751c03108a04f5eb66d2

SHA256
d13097de6dc2efaff1641f250083e02763733c61f43770f50676e0194865266d

SHA512
63ae13afd4230b7f2ea6609ccfa7cf42d7c4c44786d06e6cd30b4fd7a3dd6417a61eada571af54c7758aa31ab6203ede9aa2d75ee9a04b4afafe27dd672e0385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f90cb30e994b340cbf5a566541cc2fb1

SHA1
780e9a80454bfdeba5024256b70f583c31087c63

SHA256
071a456a8287c9d899fb61c4daf2127b1d0a9d446916639362c768d2dcc62b14

SHA512
206ed8495ecf0ba85404d5112e301d3ccb1468f0e7ffb1e92d9b79e7e8540a73643088300b163dc1927c4ca634cd36988eacde927656cd91b0eb2b7445f2d7ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5230991eafa89c26b52bf3b1f8145358

SHA1
6bcfc89b2cc025e7422e9e885ac4943b6feee619

SHA256
a54cadbc5f972d3e3ce7ce50160d230f551ada1f304ee095f563393d3a34725c

SHA512
b819beabf8b7a38b15745738945f8b1ccb7f3b45a6600c948039e9c747164214978ec7c03d13ae3c2c816185b6f3ddc947839ea7f2cf8053f62a6ace2a40f432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e1a33e0594a497f05e37ce31a2fa107

SHA1
3d8d44fbabf17bd3dfc5dba5632ae07d6d6c210e

SHA256
404211af090f5b6d42b506469472da3a1a3bb27fa1fe29e0f62cd082df8975b5

SHA512
95e3dd4d65f86cd3985b933ae3399d5141727d0f2036775ec618e33d238bd45c0ed43eb4e0a41bcab4fb10fdc004934888148cbbf3e79d01a339cb0a11569ed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9c7a619b539596bc462c49e5c2f1c38

SHA1
1b82e514b7106943b91e9db778d4526bfe48b67b

SHA256
36b4760a0b118e0f1b085038f9864eaec24d99dca9166d0d0c0bc5419b0e9221

SHA512
d812117761cbe17ddc39a4f13b833708ad990a8d8079964abd50eaf447e3c490741c16cd2e05b8ee9787d432a70dfe8c7b5b1086f4340169ec34ae6d7644135f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4734507b87ce44a13024ed461024707e

SHA1
bc3623cef03c4310a25b3d9812f2b88344de5910

SHA256
760d9c5d49d1c7bcf85c65d6db28c760b150f18d4428d8621dc90d1bc7c89205

SHA512
dc04f46fdfc6dc0b4beb0801da071b2df4107c1be47279049eae97258c9ced092ec4643e3c64bd4e305f6628c9569c6a33bf1c8e94a75be5bfe4c656bb87479d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2f59a3813c35779dc714713f02a953c

SHA1
184e9321f798bea49170b3a39ee9e9b5c95a9cf6

SHA256
89d339017452ec396be27b177e952d952eedfa84cf560c9c5d50b04a520ca577

SHA512
846ed310481bcc05ec5113a5a47b7eef7525c6ac18b059df42f2e2774b3672006aae492969a686c810c6f1ddc78b2a235a2ee458e9ecb9d9c2d56a4b1ca44538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1a0eef9f2ea73f15a45427cf27a1f04

SHA1
c0552a8f9c5e57ca28a3be03fedc185319baf603

SHA256
aa5f31dcb418dff1c6eaddbdbb3ace41ca914ea3956ea0a53e947936c6282ade

SHA512
1f8101e0bcc130f760bd2a9990a78cc9bf528247151bb2272f6287615a88b486e46b89c63ccedf2ac3145ce4461553f0503c17753e55381f434140a349ad6064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b4754cbc1dd62d3000435ce3edd0f1a

SHA1
abbe39eb07a952f5f04c12eb009f696c0d9eb510

SHA256
99bf22b192c94d0239e3eb4bc42d7e1d1f70c0ee5e83fe2f013afa0df13c167f

SHA512
8f3c3134478d113971a39d3570e2189d59c2a85f35bda29d1b1ffce48621336bd16dbe869a812d62160ea97d6fcf4ec622b27eea6492d63adda8f149c312d27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab848E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84DF.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\chvsalktelow.exe

Filesize
336KB

MD5
45f0b5a24298fa780f9eb39244d504a6

SHA1
d2768bebe7d0df40f89ad202b46a560f32848db7

SHA256
8d72251b37fd260a51fe3675a3dacaa4042d14ee9969bbef71820d838b13622e

SHA512
ce9b39d8653a994034463b60a271c1b143ac7c53e09d95dc977855a746bc8a0912244d95866ed1b3b52c037e08717c23830940443e6abba65e95c5fa99d44d0a

Download Submit
memory/784-6017-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2052-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2052-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2052-0-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/2052-8-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2052-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2456-6340-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2456-6016-0x0000000003170000-0x0000000003172000-memory.dmp

Filesize
8KB

Download
memory/2456-10-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2456-2711-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2456-5907-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download