teslacrypt | 828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
Size

384KB
MD5

546fe4e8d28a6c67a1047286eb57d773
SHA1

19a807a5fe6f1974ea4ba5f2bafb5cf4edb56f23
SHA256

828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c
SHA512

702ac5cd5e84d6157ab79fc6e41fa4fc1075e72318459345e7e75db200c07d09bf20d7f5b759c53e1207f80d0bbc2f5ab2c464b3cd8c8b8d4ffbc1b32707e5f2
SSDEEP

6144:7tguKU1XD9oEmWMF6L2IzjAqXuxoaqHwdfOUavNJ3en9THb3IA/OYILI:+uRBoOc4js11GUfVsNJ3entMAWp

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+viyyl.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAD681CC366CFAA 2. http://tes543berda73i48fsdfsd.keratadze.at/AAD681CC366CFAA 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAD681CC366CFAA If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/AAD681CC366CFAA 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAD681CC366CFAA http://tes543berda73i48fsdfsd.keratadze.at/AAD681CC366CFAA http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAD681CC366CFAA *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/AAD681CC366CFAA

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAD681CC366CFAA

http://tes543berda73i48fsdfsd.keratadze.at/AAD681CC366CFAA

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAD681CC366CFAA

http://xlowfznrg4wf7dli.ONION/AAD681CC366CFAA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe

pid	process
2708	cmd.exe

Drops startup file 3 IoCs

Processes:

gfxfutdaqnqm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+viyyl.txt	gfxfutdaqnqm.exe

Executes dropped EXE 2 IoCs

Processes:

gfxfutdaqnqm.exegfxfutdaqnqm.exe

pid process

2640 gfxfutdaqnqm.exe
2600 gfxfutdaqnqm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2640	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gfxfutdaqnqm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgcyfsenvhoc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gfxfutdaqnqm.exe\""	gfxfutdaqnqm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exegfxfutdaqnqm.exe

description	pid	process	target process
PID 836 set thread context of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 2640 set thread context of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe

Drops file in Program Files directory 64 IoCs

Processes:

gfxfutdaqnqm.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\Recovery+viyyl.txt	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\Recovery+viyyl.html	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\Recovery+viyyl.png	gfxfutdaqnqm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+viyyl.png	gfxfutdaqnqm.exe

Drops file in Windows directory 2 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\gfxfutdaqnqm.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
File opened for modification	C:\Windows\gfxfutdaqnqm.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000004d82d4ce6b952e9f6092bc26999fad535ae945f5f979bd2ce6eeef4c06d70796000000000e8000000002000020000000353bba9168fcb2a3271779e1c81df50ab1c88b6c9fdfe8c59284054e28ea17b220000000099408deed47d2b9420c90c73758afc3ae01a2b8da489a11883e678c2d859675400000007bcb480ef1707e64a8021dc86266264fcf0c981bfe35b29fc4ab7162daf781a2b2f54de6b06691247c8d28b3bc11174d6763c27e757bc2fab9cd9c71b07e8ece	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D6567271-1508-11EF-8D12-66A5A0AB388F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000021db90988c4d682531b4ff51776dc3d34aaacd940acb46bb37154d04d18e1582000000000e800000000200002000000013686f60a82b57e13f49a6e34cfa23abba61f0d6b6b1c0364072e1deaca80ef090000000920eeb53e0fbacc3b3e7b53277f5e226a3700078f0885a7f15d8e05077ad9df2e426dc6149fdf1f76941f12764448d2dd57d0fbac5975fe5c2e2db27610619d3a5d696954db880a0dac4457d8ad2f076edf5f8401f59c47f11ef5cc037da41ced2206cf7b1cbcff41283cdb5bbbdfd5de70712a995568d4e64a68c3c9ec5cc719415d4f52a47742066431c801c25045f4000000020b26b99595462427aa745854369415fc950417198c4aa925085c6d84c435e6ae259e28185538a257dca57bc3797ed2317e3f1577caca0a20246ee6bd083d6bc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90fde0aa15a9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

gfxfutdaqnqm.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	gfxfutdaqnqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	gfxfutdaqnqm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gfxfutdaqnqm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gfxfutdaqnqm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	gfxfutdaqnqm.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	gfxfutdaqnqm.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2824 NOTEPAD.EXE

pid	process
2824	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gfxfutdaqnqm.exe

pid	process
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe
2600	gfxfutdaqnqm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exegfxfutdaqnqm.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	gfxfutdaqnqm.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2200 iexplore.exe
1796 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2200 iexplore.exe
2200 iexplore.exe
1280 IEXPLORE.EXE
1280 IEXPLORE.EXE

pid	process
2200	iexplore.exe
1796	DllHost.exe

pid	process
2200	iexplore.exe
2200	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exegfxfutdaqnqm.exegfxfutdaqnqm.exeiexplore.exe

description	pid	process	target process
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 836 wrote to memory of 2604	836	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
PID 2604 wrote to memory of 2640	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	gfxfutdaqnqm.exe
PID 2604 wrote to memory of 2640	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	gfxfutdaqnqm.exe
PID 2604 wrote to memory of 2640	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	gfxfutdaqnqm.exe
PID 2604 wrote to memory of 2640	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	gfxfutdaqnqm.exe
PID 2604 wrote to memory of 2708	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	cmd.exe
PID 2604 wrote to memory of 2708	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	cmd.exe
PID 2604 wrote to memory of 2708	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	cmd.exe
PID 2604 wrote to memory of 2708	2604	546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe	cmd.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2640 wrote to memory of 2600	2640	gfxfutdaqnqm.exe	gfxfutdaqnqm.exe
PID 2600 wrote to memory of 2484	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2484	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2484	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2484	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2824	2600	gfxfutdaqnqm.exe	NOTEPAD.EXE
PID 2600 wrote to memory of 2824	2600	gfxfutdaqnqm.exe	NOTEPAD.EXE
PID 2600 wrote to memory of 2824	2600	gfxfutdaqnqm.exe	NOTEPAD.EXE
PID 2600 wrote to memory of 2824	2600	gfxfutdaqnqm.exe	NOTEPAD.EXE
PID 2600 wrote to memory of 2200	2600	gfxfutdaqnqm.exe	iexplore.exe
PID 2600 wrote to memory of 2200	2600	gfxfutdaqnqm.exe	iexplore.exe
PID 2600 wrote to memory of 2200	2600	gfxfutdaqnqm.exe	iexplore.exe
PID 2600 wrote to memory of 2200	2600	gfxfutdaqnqm.exe	iexplore.exe
PID 2200 wrote to memory of 1280	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 1280	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 1280	2200	iexplore.exe	IEXPLORE.EXE
PID 2200 wrote to memory of 1280	2200	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 2172	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2172	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2172	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 2172	2600	gfxfutdaqnqm.exe	WMIC.exe
PID 2600 wrote to memory of 964	2600	gfxfutdaqnqm.exe	cmd.exe
PID 2600 wrote to memory of 964	2600	gfxfutdaqnqm.exe	cmd.exe
PID 2600 wrote to memory of 964	2600	gfxfutdaqnqm.exe	cmd.exe
PID 2600 wrote to memory of 964	2600	gfxfutdaqnqm.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gfxfutdaqnqm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gfxfutdaqnqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gfxfutdaqnqm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\546fe4e8d28a6c67a1047286eb57d773_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\gfxfutdaqnqm.exe
    C:\Windows\gfxfutdaqnqm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\gfxfutdaqnqm.exe
      C:\Windows\gfxfutdaqnqm.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2600
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2824
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1280
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GFXFUT~1.EXE
        5⤵
        
        PID:964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\546FE4~1.EXE
    3⤵
    - Deletes itself
    PID:2708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+viyyl.html

Filesize
11KB

MD5
2fea63d69d5d068dc682caeaf1bc0d7e

SHA1
146f1f1892e97c37c5d780581618e398a9a610f8

SHA256
459977edef8489ae5a98e4244372e2c44533a31e09b233f5ab003d6ad34f5fd0

SHA512
92a781dba59192ddafde7f7750cd2faffada0d50fa853aee36a83478078d9e0845a2c25e29caec5a1c1b011a926016b19d2ad8475d352035eec1d5b22a40de08

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+viyyl.png

Filesize
63KB

MD5
9a5fb4305f1698caa4b9c58397c21e5e

SHA1
5d07d9878d1e0de6111d4ae3bd5dc90f20a56efc

SHA256
351558aa7b7c2c39663f748ea0e42184763c214fff6c89f607e5ebaf4af7a7d7

SHA512
5cc799a68836b94b84658dbbfde7f04234cb71cdd9f51657e68b91c089e7daf09b42c87e2c47f7e1f9821459387b1ce67d7f7322528d04fb163e7b66f85d1cf0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+viyyl.txt

Filesize
1KB

MD5
bf2efc04b9310f74bb3c67269ebe8877

SHA1
d9d1f578b60ba6287653a4bd5c7bbc16fcdc7eae

SHA256
6d7991cd344ad31a17c2333ac1a5e9fa3bca33bfb1d4f784e80ee317d9a131a9

SHA512
86486c441aea617ce353bd3375a9e480dcda67cc684e86690a15b40b92b7e6fdd97cc08bed6da3d48defa4d0e3d28920e9a0be4afd6efba45daad413195ec395

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
077539ba4cb72e4e1e531fad1274c521

SHA1
6cd18ef27369f1691ce2f78ae8d141406a30f98f

SHA256
973898b6129137e42dd3f455568d4e62b70509998dd56bc71d3a905745969ca0

SHA512
c54723b188f8d43f726cc7e2ca8360f4d897779c10f2c18d392e18da7500cc9f64ae5ea6a09f5fabd7e3b22c727c35b2b082bcb391d9110f60f445af0c8409ea

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9c76a5fee0942d7d7c8d1197512ca2a8

SHA1
e796f3097442b9a6f976b526830184f4de53541d

SHA256
7b4e9bd8068a5b89c95b8431202499e902767f954e3ce973c755eee11724bfb3

SHA512
6b11ac3c2458e4d2ffcfb1ca13fb31ef5af851d7fb24172b4d68ba7339c482481a3c1784170f4a1a84d92cb2978db617ad56ca921fbcb05f9f11a00facb2150b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
3ee53c77fe186614a23ea17608201b70

SHA1
10898874d648e6f6e97d95b940fc96f266c85c64

SHA256
b70c128b5998be36f7a305a6648f668d950329000b01b1e2bd834937d564cbc0

SHA512
e60aa38d5248060f0ee096e85e2d419154e7ff7031c1f1ec01526436cb9a5a2e8e2ed2f0cc6c5ba77b332ebbafbf60b040d2313b32784c7e39710b382b9af646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73420d19c0f7661da782707227abc1bb

SHA1
645f74c0011ca757c4774237ab45d47110e7a3c9

SHA256
8e462f46571a4dd95f530c68cac1350ea39c2c1474ece9eabebdf3670ca5623f

SHA512
7f0065ff23403c86226c7c3320c7c560f431806f764905636385fcf91354b49a3afe5aa816f454f2cdb0abc2a8975baa3297057e13f5fde635a34c3bffc08ce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48734221604449ff22acf405bb94292a

SHA1
a06873b813010468397678fced33c6c8d3a28d35

SHA256
5c66ff1ee0af2d7a5b5d535823d14fbeaaf5cd657a40adefe8356f972f8ac2e2

SHA512
817794ca4761a2f991e07434429785c9c050b09e1e078020567b2e3be1ac51d5dd2eca4ebf23d4088cefa33aeeb34d60f73d11e96fd52fbe5fbb4297210e3bde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c06e0b13e90ce1ac40d26cc3d82c510f

SHA1
5cfc62fc82afba1ae8d4f92c79cdffde87bb3e1e

SHA256
a0df6c849deffe1c7f5fc6aade630dac19750dd07de0e729fbb384ad7148861a

SHA512
1b059a4d9bb7707b11836688d6d07df69dbbf9112c45fb1e307cdfed2515cb1c4ee14dd30736d8b959e88bdcfc61e2afe68b0b72f4c5372c544c223c6d349c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d44c869daf80ea0dec2c48a17d9ada7a

SHA1
4d0acd3ef189f86567fabfd2134f9f2b59929f76

SHA256
e97801d341badf2cd7887de4c0a34a8a3b721c9eee4a3f7ee038f07776ec0821

SHA512
ea211198e13004df7842b904c7fd297ef7f278f3e88f8adbb98a06f74a339f36f3efb565b57b0a37d5e4f99f65655ac01f4e20d81311b38cdbb05e92225b82a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4833d7aa8a64137c8ce1b641eb3d1325

SHA1
4a8354d70442597d6abaeca8b9407a46a557acb2

SHA256
42822de707b66ca50f3c9380f2f6421219a71e7fdf1525e5cf0509fa6c85425f

SHA512
0dcfae5fd00febea8a5b8e204b15b9525a5730a84b4aac0676b8a96a14640416585e51998b91efa675ae3956d7b1f4298ef80c9ce48d68867fe63d5710be8c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ba7bfcae7d5d1577e3b2baac9a0cef5

SHA1
05005b981907ddb89f4d9b1c0bde311dcd4a6703

SHA256
1e57ae5e5b7ab680533cfabc21137d5efef5c83db274d92a4b1d46f0a89b6ab8

SHA512
57bee047eef8f6c99769b372ed2a8678cb6fe0746cd13b90725b6a532a997dae5326d53e10d3550c7fee5c2ab25f12056064b04b2ae964a4d119b268e87c3a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0876f326b26996b5cdde49113d55fe8

SHA1
1665a2a095475260aead5ca2b99e922a696e44cb

SHA256
9f5e765b576a8414010a9109606d22d825bd92f26c4a950ab0bf5a4364dcae45

SHA512
25f274724d12ea498e6470465173840595dd964df48c2ea6d364c0b797399537db2a2a62d503bc99f3dc07bb3696439b01ca58fa3cbbbb4c0be29018210cb752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4009c87890e0c47a22f0a24561f35a5

SHA1
8dff4fa8bfe01659680f10f098246101ad3e92c7

SHA256
6ebbd3bbdd0a09528213eeec9c46e69977c03778f1a6c7da5da0594a0a92c34b

SHA512
877dbd41e98bdf7b299f343af07d3cb65c53c7969ecee9132f070b84041dbc26a67a943ef5e3085f808c784a69735772c8387254ca48103bafd8de2a6608684c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b3fd80f42515f16bc1d1f49eecac9ee

SHA1
f09e75323cab2d5aa224c0b073d5e633a6c6acd6

SHA256
2f420668682ae461948a7cf004ee152c590b02cd375deddcd1c9e5c5c5883c18

SHA512
5546b9f462284dd8975ab42138dbbb9ec8059af64901114879867b00bc8017c34f0a2e5c324c6e8c15f69628ce76001e14429b32bfba439ce9d54a5b5c28e6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64171ecc5bb47fcb082592fc982deb27

SHA1
60d12059bb79bee336ca5353cb47ae62d2ffc6f8

SHA256
a79f73f77e1cc0e5a0e8931c1815c476fab1cad07dac8033cb22897312021e83

SHA512
4172e05f52a3a7fcfd57322a3b68a8181152415ef546948f9766998ea5cd3daedd349123c9f0c993e6528b452bcb9af48aeb8a362b755518d06f0b0652845d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6148055334830a09d3087854fbeab819

SHA1
2cc3f4cd9943c3ce649e996c1f093481d72de980

SHA256
c8ca68729c4c11a4df07900e4305f96203e291292036ea0faf3e2b29f0231c54

SHA512
41ce2fffa75be0f59350e572f105be6385462de11355e8034ba84fe37e662a92d34c93beb5bff963cb559d0363c35ed48a0f61f927cfe91f576c71fdd26e95a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0ce8075d2ef6ee98a6d44500b992d1a

SHA1
9215bef17bd116f5360f6380644136e34fd52df6

SHA256
8fbbf2fc1eff55fcfaef675910df6cb569593617702e9834c19d64ef5099f212

SHA512
08b4681753f8dc0017c466139bc597440eb68ecb5fe4a253436780d598f516d15a24b3e13e2f849bd85d8c5bb4c2e1e6e03e29aaf9bd7fa274581236ac953c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2435.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2448.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\gfxfutdaqnqm.exe

Filesize
384KB

MD5
546fe4e8d28a6c67a1047286eb57d773

SHA1
19a807a5fe6f1974ea4ba5f2bafb5cf4edb56f23

SHA256
828cd60f0928c571477a4e351b0d98d0d03abe48f0b67a9ed605a2eb8dab5c4c

SHA512
702ac5cd5e84d6157ab79fc6e41fa4fc1075e72318459345e7e75db200c07d09bf20d7f5b759c53e1207f80d0bbc2f5ab2c464b3cd8c8b8d4ffbc1b32707e5f2

Download Submit
memory/836-17-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/836-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/836-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/1796-6106-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/2600-6121-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-6126-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-52-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-2360-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-5344-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-6099-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-6105-0x0000000001E90000-0x0000000001E92000-memory.dmp

Filesize
8KB

Download
memory/2600-49-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-6109-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-6123-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2600-971-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2604-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2640-28-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download