teslacrypt | c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
Size

356KB
MD5

96c53da97c6cf0c79d278f0f69609ed6
SHA1

c57ae0b44b2feea3e4722c672e4d2c20aaa4d2de
SHA256

c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca
SHA512

08e04cecef4b1e4d6fc710115c1065de2d0e4ff358046ac5d00920a66814905af51f5859e4dbe92a7d2744fba092cb4addb96f349caaf608177de1766330bf44
SSDEEP

6144:rnuEzhHd/Opk3p1JWsjCLmwRHbN4mjc5SWH6NJBZwb9:rth9NJWsjDwR7NvjcSdNJBZw

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+runwx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/6BD7F62D35A8F850 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6BD7F62D35A8F850 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6BD7F62D35A8F850 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6BD7F62D35A8F850 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/6BD7F62D35A8F850 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6BD7F62D35A8F850 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6BD7F62D35A8F850 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6BD7F62D35A8F850

URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/6BD7F62D35A8F850

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6BD7F62D35A8F850

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6BD7F62D35A8F850

http://xlowfznrg4wf7dli.ONION/6BD7F62D35A8F850

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+runwx.html	qsyjejblvono.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	qsyjejblvono.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\mgoxfccsvgny = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qsyjejblvono.exe\""	qsyjejblvono.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css	qsyjejblvono.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	qsyjejblvono.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_RECoVERY_+runwx.png	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_RECoVERY_+runwx.txt	qsyjejblvono.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_RECoVERY_+runwx.html	qsyjejblvono.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_RECoVERY_+runwx.txt	qsyjejblvono.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\qsyjejblvono.exe	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
File opened for modification	C:\Windows\qsyjejblvono.exe	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0434ad4dfb6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF785F11-22D2-11EF-9F3E-D2EFD46A7D0E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022ff1bdbdb9aee4a9429001a78b789120000000002000000000010660000000100002000000035507975c47aa89b86949c444ba3c1a3d05e69f445064eb4f5d9cc0a030c7b7d000000000e800000000200002000000014a376ea265adcb88bd7d0ee6ee7d3f65b78b81b747078b86d4831fb5a0f62e120000000743cb50b02e80488b3c8bb6fa68bbc22ae93dd0ebf22a68277e7cab74cb191f840000000510c560e2361590f59af70cc9e5d14246ba4ed702171cd30292f6bb751c03c15469a01a36381521b21faa15af96493b45e7ccb959a6c8f2d99073ab5ccf29206	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022ff1bdbdb9aee4a9429001a78b7891200000000020000000000106600000001000020000000f82d9f653462f42674f8b1e53bff52c386b55c1ba8dbb8f0ae54d94aa49865b6000000000e8000000002000020000000496d8378ad49c7e1b9a2c9e7eb87f35cc8c3d4971f2e59a4a501972321f5628c900000003b016abdcc9a718c1c75bdb23ccd264258709f899055d08959c77ebff064d1706317a636eacda7b1e0a90dd406dd8a65c8fb0feed8b63dae3997b32df62aeba798ec6b13f0d4aa118ef713d7361cdc2bb934bf659d9794b2c8955fcd3cc36c87e44df7eb209420384b1bdd77f454f81a30a5a5aa88d511bf509baa95561b1a36c841c4befd066a336544039ef95834c14000000006c5ba39e7b7c8b47c969603f21864d773c6eccaf7937d0be89e1c06b050dec7b60cc2e613aef0c9683395183501d537021bdd4dfb3da410b645b928655d8893	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1764	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe
2532	qsyjejblvono.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	qsyjejblvono.exe
Token: SeIncreaseQuotaPrivilege	2624	WMIC.exe
Token: SeSecurityPrivilege	2624	WMIC.exe
Token: SeTakeOwnershipPrivilege	2624	WMIC.exe
Token: SeLoadDriverPrivilege	2624	WMIC.exe
Token: SeSystemProfilePrivilege	2624	WMIC.exe
Token: SeSystemtimePrivilege	2624	WMIC.exe
Token: SeProfSingleProcessPrivilege	2624	WMIC.exe
Token: SeIncBasePriorityPrivilege	2624	WMIC.exe
Token: SeCreatePagefilePrivilege	2624	WMIC.exe
Token: SeBackupPrivilege	2624	WMIC.exe
Token: SeRestorePrivilege	2624	WMIC.exe
Token: SeShutdownPrivilege	2624	WMIC.exe
Token: SeDebugPrivilege	2624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2624	WMIC.exe
Token: SeRemoteShutdownPrivilege	2624	WMIC.exe
Token: SeUndockPrivilege	2624	WMIC.exe
Token: SeManageVolumePrivilege	2624	WMIC.exe
Token: 33	2624	WMIC.exe
Token: 34	2624	WMIC.exe
Token: 35	2624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2624	WMIC.exe
Token: SeSecurityPrivilege	2624	WMIC.exe
Token: SeTakeOwnershipPrivilege	2624	WMIC.exe
Token: SeLoadDriverPrivilege	2624	WMIC.exe
Token: SeSystemProfilePrivilege	2624	WMIC.exe
Token: SeSystemtimePrivilege	2624	WMIC.exe
Token: SeProfSingleProcessPrivilege	2624	WMIC.exe
Token: SeIncBasePriorityPrivilege	2624	WMIC.exe
Token: SeCreatePagefilePrivilege	2624	WMIC.exe
Token: SeBackupPrivilege	2624	WMIC.exe
Token: SeRestorePrivilege	2624	WMIC.exe
Token: SeShutdownPrivilege	2624	WMIC.exe
Token: SeDebugPrivilege	2624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2624	WMIC.exe
Token: SeRemoteShutdownPrivilege	2624	WMIC.exe
Token: SeUndockPrivilege	2624	WMIC.exe
Token: SeManageVolumePrivilege	2624	WMIC.exe
Token: 33	2624	WMIC.exe
Token: 34	2624	WMIC.exe
Token: 35	2624	WMIC.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2248	iexplore.exe
2676	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2248	iexplore.exe
2248	iexplore.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2532	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2532	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2496	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	29
PID 2212 wrote to memory of 2496	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	29
PID 2212 wrote to memory of 2496	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	29
PID 2212 wrote to memory of 2496	2212	96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2624	2532	qsyjejblvono.exe	31
PID 2532 wrote to memory of 2624	2532	qsyjejblvono.exe	31
PID 2532 wrote to memory of 2624	2532	qsyjejblvono.exe	31
PID 2532 wrote to memory of 2624	2532	qsyjejblvono.exe	31
PID 2532 wrote to memory of 1764	2532	qsyjejblvono.exe	40
PID 2532 wrote to memory of 1764	2532	qsyjejblvono.exe	40
PID 2532 wrote to memory of 1764	2532	qsyjejblvono.exe	40
PID 2532 wrote to memory of 1764	2532	qsyjejblvono.exe	40
PID 2532 wrote to memory of 2248	2532	qsyjejblvono.exe	41
PID 2532 wrote to memory of 2248	2532	qsyjejblvono.exe	41
PID 2532 wrote to memory of 2248	2532	qsyjejblvono.exe	41
PID 2532 wrote to memory of 2248	2532	qsyjejblvono.exe	41
PID 2248 wrote to memory of 1308	2248	iexplore.exe	43
PID 2248 wrote to memory of 1308	2248	iexplore.exe	43
PID 2248 wrote to memory of 1308	2248	iexplore.exe	43
PID 2248 wrote to memory of 1308	2248	iexplore.exe	43
PID 2532 wrote to memory of 744	2532	qsyjejblvono.exe	44
PID 2532 wrote to memory of 744	2532	qsyjejblvono.exe	44
PID 2532 wrote to memory of 744	2532	qsyjejblvono.exe	44
PID 2532 wrote to memory of 744	2532	qsyjejblvono.exe	44
PID 2532 wrote to memory of 1720	2532	qsyjejblvono.exe	48
PID 2532 wrote to memory of 1720	2532	qsyjejblvono.exe	48
PID 2532 wrote to memory of 1720	2532	qsyjejblvono.exe	48
PID 2532 wrote to memory of 1720	2532	qsyjejblvono.exe	48

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qsyjejblvono.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qsyjejblvono.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96c53da97c6cf0c79d278f0f69609ed6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\qsyjejblvono.exe
  C:\Windows\qsyjejblvono.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2532
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1308
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QSYJEJ~1.EXE
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\96C53D~1.EXE
  2⤵
  - Deletes itself
  PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+runwx.html

Filesize
11KB

MD5
41b0a1bfdb23901708e4b1bd71faa7c2

SHA1
2c8d1dcd9c2d5470a0210cabf4bf35d9da054c7d

SHA256
6aa5cea77f4cd85d91e609cdd45ebab37b3754feb8645d9f5b0035741fbceed3

SHA512
684b59ba9b2fa7e48eeb999f1c24bbac7e3fdf4ba63f583fe8c42d4d882fef95535ab140f88484050c8d7922b31b6af6f071e627c564369e23c602be3fcf39b7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+runwx.png

Filesize
64KB

MD5
c33f305cbecc3a44eb067c2a9e002b51

SHA1
435285ccb5052f62109b6ae3c01905481d81e616

SHA256
5fa5243157be6ac4a732663d6c93706786b01d76f035f274aebab300553e00cb

SHA512
7f65c5bf2df05c3e024fd5712f92db95f8c63ddd1d6a6a3a08b77f6e28452b9633c7b54c61d60a006af3c3024138ed408f1c29c77163c4ea20f7f13a54c3bd22

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+runwx.txt

Filesize
1KB

MD5
d12a2a3d7f099748274a3eff786f1e57

SHA1
873720396d3c5303683aacd12135827ef33471c6

SHA256
4c2304ee1b708f258c2705ae91ff5881ac2e93a60314d4b67107f6622fb7053f

SHA512
d0eab52a46dbea59bee91f2822f087d038800dd7aeed7ad32f690144df3ab18e16e98ae35e9d1111a7a11e5fcffbcf8f6953345dd9a87a20d36ac56d1f9a339f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
cbaccae0e5b482bc91286c3da33959af

SHA1
d48e3d32604847ac51af8da1bfd6f251a71e6aff

SHA256
7c5addc28808251e62710df0380f0296811bd9bbd779bee68aec7767adeb874d

SHA512
dfa8fc4727b67c63eff7abd4b78a7d000d97fc337e08d791f42f0812455ffc72ed6f571128a3f1e96f99ad3804ec12e2123e2b774680ab4ecdb247de05cb9f3d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
bed7dd53f4bff0ec9c97099ff29bc3ea

SHA1
97b36d17ef8f37cb60317ce6463fdd9c493e199f

SHA256
5186ccd05dfc05304df088a1f09e393e14fd25c42f40b95296d5b556ed1cb322

SHA512
b7696f55b7ebad35eedc096f186aef8c9ff3a9fb661a048d9760ce7ea31bedcfe938220400b6993addeecf8b9b24d4f71479259d65632dd1c54249e9952ba9a7

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
34377dbe0c32c79261933ec979754450

SHA1
ef9d51afb926afbe1afc7f5f562da980defb7037

SHA256
701ba9ceecc024e79a54fe4fed14afc36a8fe9446e5ec8cdd606738f430fe7ae

SHA512
a2b32e7b9ab8a5d3b2a2836d120c269ec6a3877e6dd7844a62c27d155a9724bfb267f3c546937bbb428c5a70a26ef7c36a6f59e49bd29554c17173e354c26e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7824bfaecad0a5fb3af86ed4d321110

SHA1
83562c3acabef96070c07c88c7db9559e58b75cc

SHA256
67f9fb6f3b5d437b8dfb51130a9f0057d9eda69d201fc516af65b10a030fb80e

SHA512
a137e5ade810de1014d62c73b7bfc7b40f7bb133fd9e323115292be235744cdde44a543f304fb430a567d7a03585bd8ffe02e9fec17ec41efe0e0b1b845cb198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6676ece72c6b5b2470500f431cd9f79e

SHA1
7f062ff3a1cb6e21506510e6f7b4e47d51893419

SHA256
865500139ed87178bcf19d9ad0941d0761dc2674c3849921f0ed2f999a75395a

SHA512
1b7e94b1284b2004902307364fc643ea8cd8ee56a4b9243e30d32ab9eaac8517cb47a9e05d743cd3a26e767a2c5ab5feff4d900283bab1a8fb6ac5391b101868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a54bd2b1653ac24dbb8f91c5ff2239d5

SHA1
1405bfa549a3c19ae4a14ec286d5f6a8d5e73585

SHA256
d1753a813d7d9e86be2e44a3239dc0761e847798343c38444394594b7a5a00fe

SHA512
423852e96a27c4ad4855396dd2e89a142fcff05404f9d1c47db1d0f546bcbbc9bcca64160e046ecbd9a3b53130ef3cb921feacc34b62a077b7afa2dc32effb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af76d083bcb757936c9ec81b9431c242

SHA1
f2d0ac3883cdc4dde3604e6d9b9ed78f3ea01d07

SHA256
f8df8fd4e9158288ecf01a7d659cffa238aa845383c74f2c5aa33e69de13f2d2

SHA512
f817eafcc64bc2e9817d5245a5b6daeb5a4868adeb0778e4a01d80ba762af6576a21cee5d1c30d843104f8bebdcb6cb94c38859687a137284f425e01d724a347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b96ee3fb4285d0478297b9c8329412f

SHA1
6863bd2e0cdc7e2c19cc5ba6445edc37f51c61c6

SHA256
9ec0f857c455128ec49b5cd497d7598370a80cfd0acd7576da3e1cf2bb882c2f

SHA512
88ec512aac18761af60a7924b96d40d1b899c31f1d4149ca4d06aecd2c14690212c0b5f2dc2ca3d41e082d203d2a543d574a8358e0a64aabac9c36d9893f361c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ebb9e061d5b52c5be52b1d249e1a9d0

SHA1
3a26234cf205f572ae0b9e42e1be5db7e3e22161

SHA256
0804d46d0176f0d4e0cdc42575bcba570952dc04d405d7838cab4bdca5bbd516

SHA512
13e5e421076d0c4f14fbe1c9874fb0cf769a91870e4aad3e82ceda0115d7269e32f49bcece8d819f988e1d0d3ab48b239970301ab00fc706c17064974d03a76c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
972db55db9f773db84e2198e97a6edd5

SHA1
b2814879035c7ae54e13477601655959bb0f9397

SHA256
f8417a757490f0bf0098bb55d554e3e29916c67117346f354f7e2e3e09d12de9

SHA512
467c5a02e7e03bf1874ba1dc97c091a394d584b06b441545e389e1fd89ddd2f3aca4fb66cd62fdecfdaa8433dd813df2d0e4d5e7eb6e7865fa3b88e428952ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3c7228d5e23c04da34844273880c7e

SHA1
b9bcf312f6d3a9f017cf0a1fdd4a2f82a5b960f1

SHA256
065d2a483d1e3b34826a71306ae9d7601e463c50dd56c012e516084edb522d77

SHA512
ea13d514f05824c8d18c282fba79eb93a952134f29f62880ab6c0556d6b25a59c602527430c0dbc95d4c722810df5ad2c523f42af6c331a67b7e4188ffdd382e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09df5fcd5a73b899312aea4a27b2e55f

SHA1
fe1d343faf0251d8559a0be5616c4a0178c95073

SHA256
d5358a43ab7f5e79920cfaf02b7b88b8195bd432d56373f7fc7716cee4973e41

SHA512
a9965d31c9828443e3f97e1c4d3fcfa07ea0af24ee4335b676d9886205f987d79889fef382caeb333ea4acfba9e175f2de654d790a4dd0431aba39a5e44d02fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab199.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\qsyjejblvono.exe

Filesize
356KB

MD5
96c53da97c6cf0c79d278f0f69609ed6

SHA1
c57ae0b44b2feea3e4722c672e4d2c20aaa4d2de

SHA256
c1f58f6b35fba846df52983a880afa4aea441e19b446c753eff7da1a942c09ca

SHA512
08e04cecef4b1e4d6fc710115c1065de2d0e4ff358046ac5d00920a66814905af51f5859e4dbe92a7d2744fba092cb4addb96f349caaf608177de1766330bf44

Download Submit
memory/2212-0-0x0000000000340000-0x00000000003C6000-memory.dmp

Filesize
536KB

Download
memory/2212-2-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2212-12-0x0000000000340000-0x00000000003C6000-memory.dmp

Filesize
536KB

Download
memory/2212-11-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-821-0x0000000000370000-0x00000000003F6000-memory.dmp

Filesize
536KB

Download
memory/2532-5794-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/2532-2254-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-1438-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-6283-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-3443-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-729-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-381-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-14-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-13-0x0000000000370000-0x00000000003F6000-memory.dmp

Filesize
536KB

Download
memory/2532-5798-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-5409-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-4757-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2532-4113-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2676-5795-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download