teslacrypt | 62d78ef75cec3ff6c1a71c7bb1f1b37a8f1bb57519eb1adef67e6b7ccfe8162e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe
Size

382KB
MD5

5bbce05b2a2d81485de1a6aaae41763c
SHA1

3f0a16bcd5cb1e2916f92505d510b1e5e9208994
SHA256

62d78ef75cec3ff6c1a71c7bb1f1b37a8f1bb57519eb1adef67e6b7ccfe8162e
SHA512

2ddfc8ff5ab050ebf2c31384bc3fb4961894b9c07881b8df0f7ddfbd82eca9e19ca0e99dd2f1176d793cae68485da847d338f3dad0618d0ac50a40fef3b0e5c4
SSDEEP

6144:qoQ60/gAOEYIME6YYnlEqvSKgnzC9RJC8m+Ho2JQE:qU0/gaTwxlJBgG9Tfmv2Jn

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vpegy.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/271CEC3F890C02C 2. http://tes543berda73i48fsdfsd.keratadze.at/271CEC3F890C02C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/271CEC3F890C02C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/271CEC3F890C02C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/271CEC3F890C02C http://tes543berda73i48fsdfsd.keratadze.at/271CEC3F890C02C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/271CEC3F890C02C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/271CEC3F890C02C

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/271CEC3F890C02C

http://tes543berda73i48fsdfsd.keratadze.at/271CEC3F890C02C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/271CEC3F890C02C

http://xlowfznrg4wf7dli.ONION/271CEC3F890C02C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (414) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3040 cmd.exe

pid	process
3040	cmd.exe

Drops startup file 3 IoCs

Processes:

qqphkbkwqfyu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe

Executes dropped EXE 1 IoCs

Processes:

qqphkbkwqfyu.exe

pid process

1880 qqphkbkwqfyu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qqphkbkwqfyu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvgmhvsdwuci = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qqphkbkwqfyu.exe\""	qqphkbkwqfyu.exe

Drops file in Program Files directory 64 IoCs

Processes:

qqphkbkwqfyu.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\RenameClose.xls	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Reference Assemblies\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_RECOVERY_+vpegy.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_RECOVERY_+vpegy.html	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\_RECOVERY_+vpegy.txt	qqphkbkwqfyu.exe

Drops file in Windows directory 2 IoCs

Processes:

5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\qqphkbkwqfyu.exe	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe
File opened for modification	C:\Windows\qqphkbkwqfyu.exe	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000cf0efc90e7ac32fab46bc2cea1c49cd33cc38155e70e73bbee9f5bde32ce6ed8000000000e80000000020000200000000abb89c6d88b6fd74be3efab183e5ba8137e1c16a34b88ef89b57205655bc93420000000edc0ce18fb621ba2ef44c8f1d1b9076dc9da2d39b0230fa7ae65bf45deeb311c4000000070b758b47217210da1d5aba35f6b5e4150de5a3470f8fc0cd05b611948a7f2a6864d9e75e4679f41e82c8920edf60f52a8f271f51c615e57717838146691f1eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607ef67439aada01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422318507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0815001-162C-11EF-8D12-66A5A0AB388F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000740ef62207729e6883a81ace7a5495a006cbaa7a8bc662e275bfc2b219125982000000000e8000000002000020000000a556917fcd91fd4f4f254e23c0f9d743f223b17c1aa6ae5bf3534c401c6a3bb89000000062b87b11bae3f9568e7e2484516a2aca8f858eeb0b8d013416af5f3bf9a60c548060d5bd4867c890f0bab1bf066c4291938fc60c7c8af3c432591904395cd30c0be04bab11419715f3e2bb2ba9bf6b3545a4a7b8e4cfc073917857eed100330c62ba208d77b95812e71e9f16b5f26e066ea7b833c87aa103e8384ee47bc7449edc9e7c0ae4e30a3f6ebe11992def0128400000009ba13030752a77607bada365389ac9d0b682808b3efcf9d964381522fda137b6342b3e0dc97182b6e617431c0a6a9176bd4d2049b0d7669532d72d76e68780e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

772 NOTEPAD.EXE

pid	process
772	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qqphkbkwqfyu.exe

pid	process
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe
1880	qqphkbkwqfyu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exeqqphkbkwqfyu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe
Token: SeDebugPrivilege	1880	qqphkbkwqfyu.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: SeBackupPrivilege	2552	vssvc.exe
Token: SeRestorePrivilege	2552	vssvc.exe
Token: SeAuditPrivilege	2552	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1532	WMIC.exe
Token: SeSecurityPrivilege	1532	WMIC.exe
Token: SeTakeOwnershipPrivilege	1532	WMIC.exe
Token: SeLoadDriverPrivilege	1532	WMIC.exe
Token: SeSystemProfilePrivilege	1532	WMIC.exe
Token: SeSystemtimePrivilege	1532	WMIC.exe
Token: SeProfSingleProcessPrivilege	1532	WMIC.exe
Token: SeIncBasePriorityPrivilege	1532	WMIC.exe
Token: SeCreatePagefilePrivilege	1532	WMIC.exe
Token: SeBackupPrivilege	1532	WMIC.exe
Token: SeRestorePrivilege	1532	WMIC.exe
Token: SeShutdownPrivilege	1532	WMIC.exe
Token: SeDebugPrivilege	1532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1532	WMIC.exe
Token: SeRemoteShutdownPrivilege	1532	WMIC.exe
Token: SeUndockPrivilege	1532	WMIC.exe
Token: SeManageVolumePrivilege	1532	WMIC.exe
Token: 33	1532	WMIC.exe
Token: 34	1532	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2180 iexplore.exe
1824 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2180 iexplore.exe
2180 iexplore.exe
900 IEXPLORE.EXE
900 IEXPLORE.EXE

pid	process
2180	iexplore.exe
1824	DllHost.exe

pid	process
2180	iexplore.exe
2180	iexplore.exe
900	IEXPLORE.EXE
900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exeqqphkbkwqfyu.exeiexplore.exe

description	pid	process	target process
PID 2896 wrote to memory of 1880	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	qqphkbkwqfyu.exe
PID 2896 wrote to memory of 1880	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	qqphkbkwqfyu.exe
PID 2896 wrote to memory of 1880	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	qqphkbkwqfyu.exe
PID 2896 wrote to memory of 1880	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	qqphkbkwqfyu.exe
PID 2896 wrote to memory of 3040	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	cmd.exe
PID 2896 wrote to memory of 3040	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	cmd.exe
PID 2896 wrote to memory of 3040	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	cmd.exe
PID 2896 wrote to memory of 3040	2896	5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe	cmd.exe
PID 1880 wrote to memory of 2780	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 2780	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 2780	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 2780	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 772	1880	qqphkbkwqfyu.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 772	1880	qqphkbkwqfyu.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 772	1880	qqphkbkwqfyu.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 772	1880	qqphkbkwqfyu.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 2180	1880	qqphkbkwqfyu.exe	iexplore.exe
PID 1880 wrote to memory of 2180	1880	qqphkbkwqfyu.exe	iexplore.exe
PID 1880 wrote to memory of 2180	1880	qqphkbkwqfyu.exe	iexplore.exe
PID 1880 wrote to memory of 2180	1880	qqphkbkwqfyu.exe	iexplore.exe
PID 2180 wrote to memory of 900	2180	iexplore.exe	IEXPLORE.EXE
PID 2180 wrote to memory of 900	2180	iexplore.exe	IEXPLORE.EXE
PID 2180 wrote to memory of 900	2180	iexplore.exe	IEXPLORE.EXE
PID 2180 wrote to memory of 900	2180	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1532	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 1532	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 1532	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 1532	1880	qqphkbkwqfyu.exe	WMIC.exe
PID 1880 wrote to memory of 556	1880	qqphkbkwqfyu.exe	cmd.exe
PID 1880 wrote to memory of 556	1880	qqphkbkwqfyu.exe	cmd.exe
PID 1880 wrote to memory of 556	1880	qqphkbkwqfyu.exe	cmd.exe
PID 1880 wrote to memory of 556	1880	qqphkbkwqfyu.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

qqphkbkwqfyu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qqphkbkwqfyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qqphkbkwqfyu.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bbce05b2a2d81485de1a6aaae41763c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\qqphkbkwqfyu.exe
  C:\Windows\qqphkbkwqfyu.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1880
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:772
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:900
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QQPHKB~1.EXE
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5BBCE0~1.EXE
  2⤵
  - Deletes itself
  PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vpegy.html

Filesize
11KB

MD5
666f8c9c199af5465e1e8418ed75ef40

SHA1
97cf0ba20c063daf58682ed3a9ae2516e0fb908f

SHA256
960b1221d75a43bdaa86e52a154e65f09801a876eec8f8d5f74099872f9f545d

SHA512
4ef2e4505ffd1ba0b8c7e1d033d774bba439264d7c0c2055f245904734cac829482c38596b55c1ea8925eb2f22f7cb556f6a39eed75949d552c183b67057c484

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vpegy.png

Filesize
62KB

MD5
084b333562e685ce319cb2bd242130f1

SHA1
bf0107929f4c7b59d9f72dfaa62add127fa5ca11

SHA256
b48de27d195f71e5f19a1e7116622f5108e92fa90fb550befe56c319f8b2c767

SHA512
3f946805dc3d8e4ee668bc679d3073f19fa8c08ea8e38c21697aa706a5b45055e205589907ca2bd88701a01930c227de45cb74a031177351818c6116bf0a17a8

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+vpegy.txt

Filesize
1KB

MD5
6ef76f08e032cb75a45f7132fc2d3350

SHA1
5fbde42169d5e3a7d97bb93d22d28477fe1a6ca7

SHA256
adf2a525b9033a4896e45f8204066e74cbf3b4af3674dc72ae7f6914f80c899f

SHA512
c4d0cc4a67ee08346f5a88d0a787b5b8f5f3c4ce73e9b47728efb1f79fa3c299e09ad795a6ae8df3bf4e3b7c7ae979c61f8e7a807799cf7bed84677c7abe6773

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
a09a780fb89d82e6941519d85a0e07dc

SHA1
59a875c539c50384a5acc05c10e356176eb1df4a

SHA256
f0727b3821f9287684babd3258a6c6baf0803494758fe387cf721a21116feafe

SHA512
1455247a4f52ac515f85c82989e0741994182f6eaac3b43ea1f70c86b610401f1dc90d2ccbcdf3aabd9167499a427b47b06dfd157c60632ae2aff6ddb6d51812

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ebe03a22444e9c37fd9305dd66103773

SHA1
78c655cc9327a8d482a794554118ac12ea374a09

SHA256
555c2b41598025f98a12bbb5b473e61b3cf7fb4d52a430e676a64f658e2a41f7

SHA512
cda136c767680a32d2e419ac103e130d83536258181de335ea38f666ba341cd9f4909e76be8406093dc899f3397fa6ea06087a77ffcd1cc5cae05464ead26b1f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
31e82d96a42e39f3227693610e8cc425

SHA1
5c8b988aa717917c3ec01318256650c175dbffb4

SHA256
3ae7fb84e14b0fb193ea452be7767b015e5b77cb46e6bfc92fd31e266319035d

SHA512
f76278536ea20b9c8adbfe6e144c7e56be65ac015364a340af8f43465d9509aa2b3ad2533cddc60372b02892b393dc6971d40a00ffaa908f4d3ce2d064764a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
472df0a4c87fab0c1ac225411d75280a

SHA1
96272423eeaf6ac31cd6bbfe76e352ac628a4173

SHA256
0ad944f03ae08c0c319046078d15b58889b5870de2fb1d4b1c01b92de31b0de3

SHA512
860f9266c08203e644805a2b5e8125781ee6f59de51165d057add511d9d56e1ac1d31b9c60ceef41a27c1701b233ae3bed3d6015ef3efc634070c047615a3ceb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89405e92fd396a3a31d0dc5d40b8cddf

SHA1
a7dd05d728ef10277d947b94ccedc5bf092dda14

SHA256
0f1ac4f1494eb8c9c8160c0013731dd13fe1eed6b4184ca9b7072ea8b5f14039

SHA512
4392c04ac6549c7e020c7e9c98afc8402bba1a5d3ff058c18af96340f01f696a574f38d1c29ddfe2a9d6eeecb0a0edb4a306aeb76dfb478a2f3a59e91fc3d235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4903185ab06d3e727776e943348a7ad2

SHA1
df9e2532a1b8ec617bd6e50a7820a3cd29d0ad3e

SHA256
7a69278390ec32497d80984403b7e4e3f2611f479e8220e19cb334a8a6cfefc8

SHA512
0ca9fa9fa93da0a87f68d4e482d2936206bf195f1d9e005f4000b5ca98bcf33cee499496a288cc9836d8e51c9ba98243c1d37bc14f140b843ab68b05e24ebd18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
deb7185d3da00c9c0c153b20e93ea98a

SHA1
3216dd4b36077a24a2734fe2457640e61e5f365a

SHA256
6d3cfeac7fa4c78ef258c4a910fa17bd4f78f51a977dd19093146cfd2ed9699a

SHA512
6403601da658b130a0500152282207f07fc09d27d16e46b7b939b70dc562157f59c392a76c097bb5229a80fe9c199b08f5148d4d282c52065c6214a2c61a1299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
452cc2fdfac036f3e9007f5745dddc49

SHA1
e966993d18e4994ddfb829d3f304892c91d3237a

SHA256
e2b9e8a29bec1e353ebc66f59e4465c6c3decf79430735d6f62df2b18d2cb7db

SHA512
7dff3a73cae766052ed4a741d4186525f70ea6eb35d7e7664b3f49fa44dba993cfc6976c121b13e4b3a1d891e20e9a1fe66e8c0866545da437583ecc23e37a9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3f91ddf57b32389c4058220519ff2ec

SHA1
f62866f94feb3496d6b39aaf7d495517673eb5e7

SHA256
1e3bb2a03c5a5a4f0f5048bc3033c45d796194f080b99a46122467c2f5c892f5

SHA512
d92a302dbccb92033f4e0f9d9a3694e1a5cc44bceb750cf42b8d71b6ff62c3a3de58f24305df956435cf12526bf6d751662675702cc61b3aed50ce6633df0712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
582848fc2740caa76203ff5e07861786

SHA1
0c69581b3a4b45728c323dfd19528e492e74e1c2

SHA256
ebc885701b9c09be280ca86dc655e5e7e9bca53b6093a1e2f1446acd4ae56f88

SHA512
93855bdb013e49ce6a80c6df1780e1562a483d970244bd0cb16e7890e45daceb5179df6c2878e90b5e8ca9499be162df0dffd374cd9f49e0b62252d10ff12b80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9a1eb189a2b949de7d628146bd119ae

SHA1
e6f0746d9332aeb113eac371c13b177c6f8aef4f

SHA256
247b71d8510f06f02cc6647849a21e976684193f6f536b5877d21bf17b36d825

SHA512
a76a26e07b5db31522204d45d50a7e595d0807ecaf3b6677b1b66286fa1ed2a45aeb76a1d2650b7780b7d27fed6924041928cbdc0b801a54b7675badf5bb7b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebf1eca358d44738f0eb1a896c54c09a

SHA1
d0ca39a20828f10ea6b93df27c4f4e8672094eca

SHA256
0436bf8c1f7e04344857ce1fe5bb008624b2d0dc3376bb752bb76e9d87c00ab7

SHA512
6a6292c965b88c3d0305ee4944a4a2ba4d35a60451e3f692fbb04aebc4e1d1dafc1d567236f7b9c38e4f5efb9058df4424ae1f53bb1d833546916e797a70ba17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7085480874e0ea73b5a41e564e134300

SHA1
0b38adf189d5869fef6f8caa30345d27310b49f2

SHA256
962b8f39a11ac7946c1ab9bf14edbd8622892a73175dde498a1224c7df2987fe

SHA512
96a409f222f7738b75a610b669c99f77acaf87ff9ff65013fd39a6c30c8657b7d2dc0865d7ac880fd76f1d4f9b3143b12a488ceb729dbb0456007ca0ac3e2950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c5b47029346d76138315991f6044280

SHA1
8409019b8f51cc57e46fcfcf13ad25b42a378af7

SHA256
63733b4632b23a05d1cc715c9607e846a84112dc39a33d729f354e5a24ad9071

SHA512
5828bbd19662b74f8e7491737d619556cb1e5a3a37af3f13005b8259c9ea5f28922a197cb678da493eeb3bb9e62b1aa5d2c31ecf1fdb87e569404c72bff3564b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3190926b2387a60a608033882e12ac2

SHA1
47d407d0cb7d6db823f7c20f11def399f67b271d

SHA256
053f2b9488c1ee1a1fd8fb9713ac089a1d2d1b50497bbe1f1330a4f6f4bba90e

SHA512
fc64a2216d504ad2782acf5ee840f19e9cbbbd21fec1a7786bfceaabe4fa126f3a9a2ff73cc95237fa7b4c0701984b3833054240ce05cd61d66de5f966fa64d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5eca9e6bb25d4e90af73b91cfd016f33

SHA1
645f9ccb311dfc0be6840ef98c155a277a00f5bf

SHA256
5cd005a25cd5cd08a5c646aa9e67e76162061bc399847c42e2d9845d37297cfb

SHA512
c8fd39bb401fbe1feb210b252ece90b59e2640d28f1bc1edcc39d9541eb179d6eb30da883849d4e2b653fb88a8257cd0923d5367abc7fe2dd9d3463f7ea60a95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7aa8e8883b08b42286257b86134f64d

SHA1
520028ced468c56a692fec43e51b71a3023ca934

SHA256
6179813d83683b174e63c208cf234b866b497c188a5f11e40efb0bd826dd3adb

SHA512
f0e666b612351dc7ac8ec317a593a5fe8404e220227c9e7c17aacd3e8904848050ae005da0b4d49de6e13aac4fa45c29f0d12c46eeac647cf79e0a884928986c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb86387ecbf4a614f02df7ee8a3f4e32

SHA1
a46a44b84e734ef037bae480f385c0bf297103fb

SHA256
1c4eabc3d3d5a05445724e5edec716f33468c18a0c6090c74554614dead85ddc

SHA512
36e7e606623cac6a363cd967ab84a1cfb877f1d9660d0c2943ecff5ff692d4e4cc820850c52703afd21eb0ffddfb8a5c50f5d6336dbbfc5ddc511d82cabc2231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8439be2b04c39b9dc0617573549ee4e

SHA1
fcd76062e5d294c59f66ae1cd32a196c5137a4a7

SHA256
dee207950c780826f79e8cf4dd51e1ebf30faebb5dc5ca912fafce4b4de453fc

SHA512
7ef5909dd78986d587e312d9f5bede1f49573033d2a94170af7b698d3e196a2fc0e2da8e88b5b194cbf7bd80f43165a860c74a880d6279f5b1f06d5a8c308d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fefc74c5bfaec1144c5154d9ec25e575

SHA1
70315feaab0602208c9bd00a42dae3b445964096

SHA256
854d1cff271f3244f7efa0d6cbfd417b8c933685055521fa7161eda9faf42b10

SHA512
975466cb9f1183ae99e17cc9306282ae8e74e8e7b4cdf815b70ab403c2c61b319d3118b5a1c389d6c603b1f0b7782d2a0b152d99e7b514ef6e185d825d36acda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4332b5090afb5d6dda16d39efef0d1a9

SHA1
7e05f3dd1df03e67a7a85931878f3c4a89ab75ee

SHA256
98e5d022bca62cf087b5f743dc16e98ced8c2af38a9c90081cb772548888f0da

SHA512
cbae0782d93f10f43be626e91432609ae1497ef1668330889511c23d90ec260da49890df0ed9cbb26811c130fa440706afa6a2de9cbc278049d116d4693e13a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bf969ea3ec6deab2485157ac164e4c2

SHA1
063fbbf4345dd0d599b76cc02860c45525f7c00c

SHA256
bf4957fee45911e06227a77beaa5f862f1d3cc2151c35a14c8c08ba8a3085a1e

SHA512
77b2bce7f0328d95e17dced5702308f7a7994d145b764fa55f64d0712305d9dac65418efef4f91e521b7f2984ef6b922ce0b0bab5615f98e729eebb7d19bf939

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5D4.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA636.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\qqphkbkwqfyu.exe

Filesize
382KB

MD5
5bbce05b2a2d81485de1a6aaae41763c

SHA1
3f0a16bcd5cb1e2916f92505d510b1e5e9208994

SHA256
62d78ef75cec3ff6c1a71c7bb1f1b37a8f1bb57519eb1adef67e6b7ccfe8162e

SHA512
2ddfc8ff5ab050ebf2c31384bc3fb4961894b9c07881b8df0f7ddfbd82eca9e19ca0e99dd2f1176d793cae68485da847d338f3dad0618d0ac50a40fef3b0e5c4

Download Submit
memory/1824-6008-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/1880-2032-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1880-10-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1880-4901-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1880-6012-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1880-6007-0x0000000003420000-0x0000000003422000-memory.dmp

Filesize
8KB

Download
memory/2896-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2896-0-0x0000000002030000-0x000000000205E000-memory.dmp

Filesize
184KB

Download
memory/2896-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2896-8-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2896-9-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download