teslacrypt | ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
Size

484KB
MD5

8c7fc6b38e8f927f2a8e8888bbc3545c
SHA1

b017d494790f3862a6851919f981e25dab8eebaa
SHA256

ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57
SHA512

7792e9b8029040eff7c7bb71cba4d938f7a6464276311adb5fd443ebbdafcb3533d7c120cfbab9ecd6b7e30762c37c5b3af1844f2b03db0cf6732a5dd02d0fad
SSDEEP

6144:0utAHuAX1/7zv+Ul4s/KFxhNDPPHf2TNhOAL68v6RD/Nqr49Jr:0xHu4/H6xhtPPHf2JhTxvU/4rI

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dekxi.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/23BF7EA79C4B5EDA 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/23BF7EA79C4B5EDA 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/23BF7EA79C4B5EDA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/23BF7EA79C4B5EDA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/23BF7EA79C4B5EDA http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/23BF7EA79C4B5EDA http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/23BF7EA79C4B5EDA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/23BF7EA79C4B5EDA

URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/23BF7EA79C4B5EDA

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/23BF7EA79C4B5EDA

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/23BF7EA79C4B5EDA

http://xlowfznrg4wf7dli.ONION/23BF7EA79C4B5EDA

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (421) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2672 cmd.exe

pid	process
2672	cmd.exe

Drops startup file 3 IoCs

Processes:

jrbadhbewbss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe

Executes dropped EXE 1 IoCs

Processes:

jrbadhbewbss.exe

pid process

2572 jrbadhbewbss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jrbadhbewbss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\osdwfmi = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\jrbadhbewbss.exe"	jrbadhbewbss.exe

Drops file in Program Files directory 64 IoCs

Processes:

jrbadhbewbss.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_ReCoVeRy_+dekxi.html	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\_ReCoVeRy_+dekxi.txt	jrbadhbewbss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_ReCoVeRy_+dekxi.png	jrbadhbewbss.exe

Drops file in Windows directory 2 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\jrbadhbewbss.exe	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
File opened for modification	C:\Windows\jrbadhbewbss.exe	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000e19c2bd2f3b5b7e1c27782a96a6d5059f069ef2ab3971fd843b425c0e400ef35000000000e80000000020000200000004d1d4193b123c911dd03aaa296e244dff0fad060f7baa6029d18408470b1a1ef9000000052262c05b81d9a16855b2fb83b21e4925f7faa29cdd67d282c6f5163c8578e5ef4f311534a5778730cbbd9341fa37a3f7f84f8c17e12e9eafacdf09370d3b4b6ef9c3b43ab10e93a79eb377caccd24799dce67dc08feaafee8467a902b5d48b9f8c9fddd7746c9b97bedfd15148fabe9fa4b377f6c1aeabf00310521bbf13e79f485e1be7fdd8359ba81403019b66e0e40000000856e24fe97bb0c5c46706864298d14d1c153855a42916afbd5df549c51a1593834b009b258701d52894a348018308918b4ee9de19ecf98a418962abd0b370956	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423454456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000ac79c61bfa2532b8bcc7d83a8732296154b46ea6d293db6594e2ccd09d7b0b1c000000000e8000000002000020000000373ac35a7775d0e705cbaeb18ed081d32b0058c45629d3f80fcb4c1b07b6a9982000000072cd841531a8baebaf8330deb7986381b9e637c2a4b0d6c4fff68af7574e0a2440000000a98072292fe3f447689866b4598ed0deb649818957f0cd0f188aa98ceff60bed11c2d970c49d2a46f23e38f9f9518275cbbac7f1639cd7fa30ad4be069ed8b62	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72CD9B51-2081-11EF-A585-5A451966104F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30de49478eb4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2024 NOTEPAD.EXE

pid	process
2024	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jrbadhbewbss.exe

pid	process
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe
2572	jrbadhbewbss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exejrbadhbewbss.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
Token: SeDebugPrivilege	2572	jrbadhbewbss.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1688 iexplore.exe
2172 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1688 iexplore.exe
1688 iexplore.exe
1252 IEXPLORE.EXE
1252 IEXPLORE.EXE

pid	process
1688	iexplore.exe
2172	DllHost.exe

pid	process
1688	iexplore.exe
1688	iexplore.exe
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exejrbadhbewbss.exeiexplore.exe

description	pid	process	target process
PID 2392 wrote to memory of 2572	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	jrbadhbewbss.exe
PID 2392 wrote to memory of 2572	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	jrbadhbewbss.exe
PID 2392 wrote to memory of 2572	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	jrbadhbewbss.exe
PID 2392 wrote to memory of 2572	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	jrbadhbewbss.exe
PID 2392 wrote to memory of 2672	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	cmd.exe
PID 2392 wrote to memory of 2672	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	cmd.exe
PID 2392 wrote to memory of 2672	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	cmd.exe
PID 2392 wrote to memory of 2672	2392	8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe	cmd.exe
PID 2572 wrote to memory of 2492	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 2492	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 2492	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 2492	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 2024	2572	jrbadhbewbss.exe	NOTEPAD.EXE
PID 2572 wrote to memory of 2024	2572	jrbadhbewbss.exe	NOTEPAD.EXE
PID 2572 wrote to memory of 2024	2572	jrbadhbewbss.exe	NOTEPAD.EXE
PID 2572 wrote to memory of 2024	2572	jrbadhbewbss.exe	NOTEPAD.EXE
PID 2572 wrote to memory of 1688	2572	jrbadhbewbss.exe	iexplore.exe
PID 2572 wrote to memory of 1688	2572	jrbadhbewbss.exe	iexplore.exe
PID 2572 wrote to memory of 1688	2572	jrbadhbewbss.exe	iexplore.exe
PID 2572 wrote to memory of 1688	2572	jrbadhbewbss.exe	iexplore.exe
PID 1688 wrote to memory of 1252	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 1252	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 1252	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 1252	1688	iexplore.exe	IEXPLORE.EXE
PID 2572 wrote to memory of 764	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 764	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 764	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 764	2572	jrbadhbewbss.exe	WMIC.exe
PID 2572 wrote to memory of 2372	2572	jrbadhbewbss.exe	cmd.exe
PID 2572 wrote to memory of 2372	2572	jrbadhbewbss.exe	cmd.exe
PID 2572 wrote to memory of 2372	2572	jrbadhbewbss.exe	cmd.exe
PID 2572 wrote to memory of 2372	2572	jrbadhbewbss.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

jrbadhbewbss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	jrbadhbewbss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jrbadhbewbss.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c7fc6b38e8f927f2a8e8888bbc3545c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\jrbadhbewbss.exe
  C:\Windows\jrbadhbewbss.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2572
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2024
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1252
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JRBADH~1.EXE
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8C7FC6~1.EXE
  2⤵
  - Deletes itself
  PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dekxi.html

Filesize
11KB

MD5
e31b245907fb47ae1bd4a5a7e68a86f1

SHA1
06c54c0d6af2944e1783c1a00ddb62a3dba01f35

SHA256
6666e9f0383d787c1c97c943393ca9469a605ab5482533748c0d7ccc7c96ed9b

SHA512
62e5e841ce8f83f78a9e427a6f8a0692b510ff45194cbe0294d2e55753d6ce1176c17601f4d74598a82731c6f55bd3fdc66a17cc973b2d03278587b89236bc06

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dekxi.png

Filesize
65KB

MD5
b8ca661ce3af33e9867610504165f6a4

SHA1
192826388cff4954f8a31fac973479cdf89ef162

SHA256
1de2a3d6d1def900c0df03e9c23bac3be75f0c4dd2491639c8b6b88b4c443210

SHA512
6b851229ad46a55148d02364fd250ff4d67e0fac5f55f5aee1f99917e7ccdb0d65299abae42549856a7cdec9beccce3ae4d865ef6aa30d7b2c1e3df603ffd19a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+dekxi.txt

Filesize
1KB

MD5
5f68687943129f6b22521b74b992e5a1

SHA1
454557213284d786e8c6175c29d64b9c8023d290

SHA256
106b8f254be57c1c78000f6f6287cb9f512191f6693a6702b3f19c813fdf2cdb

SHA512
a317b1d75fed8c9f4103e55a596af6283a5d6686141b8649574672cc57e980feb220f80a538036e27da0847c4a835a5c114f2a4f7ab3c6861906ad0c77fd0b22

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5c9021e029d7018b6b146d96c3a6a4c1

SHA1
9240ab8a91566e07a25da983f25bdfc9dbe45f2a

SHA256
a78f1ebc52f94fb582d46b0004998034520d189814994d44de03f60a6b02ed3f

SHA512
ceeedf0420001effe4f1c216d648a6e42ca001fee4c28390e7d6548c7d62ba3a934cc1b65d5b79b1acb7aa5476920d491d7564b95f3f73efc92f7311ae19822c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
a4673785701bc5538955863ed7714c76

SHA1
5630fd17b39a96e238f973c76d791763cdcf3b89

SHA256
c122fa84474e1eb34696447ba5472a930bbe289349e7ac754cdeb5cd80aa7846

SHA512
c4dc55768f1e898b44053b27d44f9d7ae1bef95dbaaa707cae7a5074bff2bb12151352428bf45a4149a68926cfc6042177030e8bfcdadbb25d09f3bff43c2a36

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
f2fb8ec5a4e3874facef48924ce8bcb3

SHA1
aa66ce035f90e265c40a4df65640a2138dffd296

SHA256
c703d970ee16f967071d1f86ba873cd048e4d59527ca276e39dddb6458a87806

SHA512
9d8915e02f9d15fc2993118c67625792d76df8858807cdb9762e8fd95686aca800560c026a7471256689051f4edcde3a6c32dd442d6402e0a1560e7d60c0a24e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee4dba88b4df2109a11c8d73a3c57b6a

SHA1
18680b90408669148fd430e267801a2b501291e9

SHA256
02794a229901f1e324d66edfb883a8875ea2febda3bcf41b1d262c067371e761

SHA512
5fd9d593d931bef7ba43de55858e6c9216c03b6278f41baa2983fda6a7f5d049ae1c4e22381bceea0d92b71048d46d2cc1504d38467a29ed81dfbd6684036a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
353c6136b4e510a1d99e76619f4e8c55

SHA1
6a7888f742f09adb9d6e9671cd78739ca324bdff

SHA256
f464c97cbea9f856c71f3c8d70571bc4ebf63bf9a613ac1af31efe1c5629f122

SHA512
dc601a3f7f97240194435d7a961a1c43574926d58101d2edc6f384279438ea8f21f7916991a01a36e55f32192fbe69296566d5b0caf74c35638fe9b7b73449f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db816ee5c740e502acbb542a7be32dc7

SHA1
d5c7623cae4957828f3391953bbb14f9b52140fe

SHA256
d49fe1f2ed083d263ca4bc083737eca315e7c895a3b7232a41d1ec7c8a6c6c31

SHA512
11ec64ca778d1ec87a3c5319e65678f3b191d427941edbc886142f9559a24cfa8da8d3686c4ac93957c57b9b5bc5b7ceb7e608dc1a31d3a98d824b9249c34aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5b6aeb22383366625ef85c44b8b275a

SHA1
ae7686faaac0e2b2d8c4b80880911561387aa0c5

SHA256
87aa7649955371d05dd5cd2c791cf734270eaa5f3ac7702fe4b8869c0df626cf

SHA512
0bfbd9b98cab5f08f3592ead2b0c32ac7546186e068ea695f841f57a8293bb46969fabaf5e50602ccc25872615daa2d97cd629a09a622a806b30dba3558c8bd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a503efd2e9930c995a24832fa68785b8

SHA1
8e0530e6d49a9663f7f12f21fd61885f1493d172

SHA256
008539d92c4a30b10d3336488bdc44b8d2af0ea5a2d69b47b93d67f8656510e3

SHA512
072fe8f05ee8500ce3d33bc2c5e38a409a2173806efe77bda6c3627dcd3ab8eb5eeb54b5797057816b15d1fb6ad8f528ff252527bb7874ad44c81d594e8db3f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74077b453753dbcdda0ff83bcc4ed674

SHA1
8254a8346d29fa865ce1b4fec79f3b28a1535f07

SHA256
b15bdb1cf06797f7752de9e621e67c6b733f4d9511a2d7ca90b5e577f86faada

SHA512
f13ed03fa60daab55e284fa1fbf771b6057d29a01ed307eea901b00afe97b573c699bd78fce7fe60abefba97972177932106afde08dfaf99024d8953cc01b4de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27b48a6a048fe45e089bd24bb426921d

SHA1
040ad9c92bdf677ed15ba3a1288c813930babe88

SHA256
1f8caaa9e1c4d70a2fd1a88ec0166914ced94bc51e3f2bf7e1ebd6480c063c40

SHA512
4c819c1ac0911183ea807769d96439e9e7ee0700836fe886879211f191aa4e9cbaf8fb000622f0cc17da8345e9517c0625dd9f33f33d6ffa0448ca9b52802d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a5f98bec6169dee4c488d1ba32d655

SHA1
8c56ee8b561821b4a7703cc2bf121881c076010d

SHA256
b258603f368e37f9611a82182182dc6009e3be48ae12751184249e1766240813

SHA512
5b9c90fb7ab2bbe663aa37d31d66042946611b79963c6a4eb423f40bea4f054f5505290e46945aee5ad60866d5078782aa46221630c53f9a7433a9a6db59635c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aff673085a232973fae0c56419405a5b

SHA1
8561b91ed14f83992e4c4c5ef023610a5a8f1ab0

SHA256
90832f49529757bc04224a5698c5b96588f347ffba87481b4195e99581c2f932

SHA512
c359e445fc2840690906dc2baa1d70bdb5a9a8a94ce9a8f2e8f149d5dec8e0261ab18474e7387b80bc80074d18ba2b0cb209fe7a4e4374edf8526f1eaf76d896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3e695765c8fcc59ff4a4dd178ab8d80

SHA1
bbb0932f5b2ec527dd6d6d85d5e73fc23257ba66

SHA256
ed7a32324bf1733c401bf6d329e44173e571701218b7ce14c17d6cef594c1ce3

SHA512
672f964a95215171df7a6c8142b551c25ff78823876827f04393045a0166e7e8253b1236d6d3f571f3f6ec2434dd0a91677ab55a68df54276f340550b22ead25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c62ef41bf4859b89c4ca2dbbc686f0

SHA1
d477ea54034da3771396e9fb3086dc8f8075e422

SHA256
c40cbb0f13f357d5c990f6950bde7203aade923542f51b4cd5f3c31687804e1b

SHA512
2aa3d97da6346f62fd55f609e3e6d351d0d31b1bd17a65b0a702a65ae2638b3e2388485a4d221bb7f07f290bb7111238a8920ffaf0a33a509cc46440314be544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aabb7eecb32ab82295de0d8f0e8cc202

SHA1
ed6d318378a6826fad1a4b4a1f8f4c758f55218a

SHA256
c751960baa44299284e947e6106d92f731eaef7714a1ddff2c909e0476cbfa5d

SHA512
42550407e100b80b9a8553cfd0d973abe44d662f0bfaafcd921470483180590f5d692b1ea6838b1763d670164fe8bc1b79f5963cf56e7a0480c4c28100103f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a38f99c33afe8b757c3b5ece73db38f4

SHA1
6e114afdeed0c8a96d4a160061d9e4e0075c6bca

SHA256
af9711e03304ec1607caef6e6f98573ff08b87f509e340de57eba72e8e17c4c9

SHA512
48b2c9ebf81c37bcd9d242e2cf0bf1fc2606fed6d01bf7e84ff498451aab03a7976c25248348a9977dcb6537fac199c9acfbcf7686073b6b3ce45ede197f8662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9780aaf74d418f63d197906e977b1401

SHA1
604dee28c357926c63632ccbbf32ef7eb978aee2

SHA256
7fede1f970490a493c793e200ca1ed67a2bc648a14202e1a5c973d5d6a61f7ec

SHA512
0542cfa85d832e4f35522b3c64b9a299ec4ef920797f58205bf9351b33b85a0a7804ec24caa2ce8476505fde7ed6a840fc65da00e2784d97897ddd707d9b9819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
654ac8a8f6265cba7b441c51559da5f4

SHA1
db5cc4a2a828198434c18701c0303fea8d9ea366

SHA256
4bc467f576f73cda204ce94054a4142d5708dd51f49a0e0c7690aae0cf4775ea

SHA512
29bf148607163965a162ab3bb615d2a1e957665fb1c0c8d9affc21423ec1402f0b29b452a01bc8886b6f70065b9cdca3be4244611a84d80f74c75d8f46a4bff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A4E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B7F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jrbadhbewbss.exe

Filesize
484KB

MD5
8c7fc6b38e8f927f2a8e8888bbc3545c

SHA1
b017d494790f3862a6851919f981e25dab8eebaa

SHA256
ddc22b54761307cf1af200cbbfdedc44bb76aa3d876155c6570b1729a7eaaa57

SHA512
7792e9b8029040eff7c7bb71cba4d938f7a6464276311adb5fd443ebbdafcb3533d7c120cfbab9ecd6b7e30762c37c5b3af1844f2b03db0cf6732a5dd02d0fad

Download Submit
memory/2172-6029-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2392-1-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2392-0-0x00000000002B0000-0x0000000000336000-memory.dmp

Filesize
536KB

Download
memory/2392-9-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2392-10-0x00000000002B0000-0x0000000000336000-memory.dmp

Filesize
536KB

Download
memory/2572-12-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2572-14-0x00000000004D0000-0x0000000000556000-memory.dmp

Filesize
536KB

Download
memory/2572-2030-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2572-6033-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2572-6032-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2572-6028-0x0000000002F60000-0x0000000002F62000-memory.dmp

Filesize
8KB

Download
memory/2572-4700-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download