teslacrypt | 83fc7a43626bd2e0debf6a0ab1dc35d04c8b26fab084d314f1c6939f9ca8b9fc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe
Size

370KB
MD5

aa44fbdee8fa7bb5daa2a4338652781c
SHA1

863fd6a1e39c7b693e9a36808138911543f37ec7
SHA256

83fc7a43626bd2e0debf6a0ab1dc35d04c8b26fab084d314f1c6939f9ca8b9fc
SHA512

064435362aeee131b3f439b575977e5fa8cfa0ec48fd7baf0d88864b84f9df627384327d83e55fbe3db99b3619d146d0ef0cd106918d22ea30de9159b54f6287
SSDEEP

6144:KsW2f6WOZEeAOHojxaiToxfOCS2P81Gl/bvMsY0f5qFKrS:Ks1uZEeNMvstVVkXef5qFKW

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+qtwib.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/76788437F76983 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/76788437F76983 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/76788437F76983 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/76788437F76983 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/76788437F76983 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/76788437F76983 http://yyre45dbvn2nhbefbmh.begumvelic.at/76788437F76983 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/76788437F76983

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/76788437F76983

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/76788437F76983

http://yyre45dbvn2nhbefbmh.begumvelic.at/76788437F76983

http://xlowfznrg4wf7dli.ONION/76788437F76983

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2476 cmd.exe

pid	process
2476	cmd.exe

Drops startup file 3 IoCs

Processes:

ogqqphkbkwqf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe

Executes dropped EXE 1 IoCs

Processes:

ogqqphkbkwqf.exe

pid process

3028 ogqqphkbkwqf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ogqqphkbkwqf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\eumaijd = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\ogqqphkbkwqf.exe"	ogqqphkbkwqf.exe

Drops file in Program Files directory 64 IoCs

Processes:

ogqqphkbkwqf.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Internet Explorer\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Google\Chrome\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\_ReCoVeRy_+qtwib.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_ReCoVeRy_+qtwib.html	ogqqphkbkwqf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_ReCoVeRy_+qtwib.txt	ogqqphkbkwqf.exe

Drops file in Windows directory 2 IoCs

Processes:

aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\ogqqphkbkwqf.exe	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe
File opened for modification	C:\Windows\ogqqphkbkwqf.exe	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0042ea786abeda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1856f12af16004ea09f99b0f191d05f00000000020000000000106600000001000020000000cc5f857fcaf44bbf5f96aac46bfcd3b2fa9bbd320e5020f0d7874cef52b24a8d000000000e80000000020000200000004b9d2cccd4d7820fd1662a834cda5bf801a23f560b7b7d6a2393829242ee633c900000007210bbe3fb93bcc8f9fc4291530448aa653728171f1a6923c6e34a6057d7174eea314bf9fb3e71f87fac76153f40297455e96ab7509866c0c1949232b5ebc23a75081794f36c31cdc3c33426350f549629daf2999e6e9c34597cd165fdffbda55f555736a040af0efcf938c6857c11d443d7985446b730ea537983c4ffdfe2c150b50dc2a0ca6e15c6e3167b6fba6c744000000052c7e60fb4bcaf1fecb447055d0c508009a9d03cf657343be6077239d93fa688ce2dbc78fb70c46670aaa557cb5528c91e1cf52d075478db2454c5181aa0f548	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424538582"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1856f12af16004ea09f99b0f191d05f000000000200000000001066000000010000200000001b0fd2e8ef3fda210fc08621072c4a78594cf2368f6df0909959a8acb669e2cc000000000e8000000002000020000000dddefce2be263bc6e4ac2e410df233a16075afab10292e2aaa7dcc3ad59c284220000000b4d689d7119af3db807dc9035c4220759a0af9f3d3fe2699eb2fe734f9b7d850400000000758dcd1576c2d60bac6ca66acaa0a578575712346bd0fce417bc656093939402b6348ca169c0dd9803546c750e235416385aaea3d84551ff097e898e07ab6a1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A47C4F31-2A5D-11EF-B4B5-5E73522EB9B5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2644 NOTEPAD.EXE

pid	process
2644	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ogqqphkbkwqf.exe

pid	process
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe
3028	ogqqphkbkwqf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exeogqqphkbkwqf.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe
Token: SeDebugPrivilege	3028	ogqqphkbkwqf.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeBackupPrivilege	2504	vssvc.exe
Token: SeRestorePrivilege	2504	vssvc.exe
Token: SeAuditPrivilege	2504	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe
Token: SeShutdownPrivilege	1484	WMIC.exe
Token: SeDebugPrivilege	1484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1484	WMIC.exe
Token: SeRemoteShutdownPrivilege	1484	WMIC.exe
Token: SeUndockPrivilege	1484	WMIC.exe
Token: SeManageVolumePrivilege	1484	WMIC.exe
Token: 33	1484	WMIC.exe
Token: 34	1484	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2412 iexplore.exe
1452 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2412 iexplore.exe
2412 iexplore.exe
1512 IEXPLORE.EXE
1512 IEXPLORE.EXE

pid	process
2412	iexplore.exe
1452	DllHost.exe

pid	process
2412	iexplore.exe
2412	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exeogqqphkbkwqf.exeiexplore.exe

description	pid	process	target process
PID 2916 wrote to memory of 3028	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	ogqqphkbkwqf.exe
PID 2916 wrote to memory of 3028	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	ogqqphkbkwqf.exe
PID 2916 wrote to memory of 3028	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	ogqqphkbkwqf.exe
PID 2916 wrote to memory of 3028	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	ogqqphkbkwqf.exe
PID 2916 wrote to memory of 2476	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2476	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2476	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2476	2916	aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe	cmd.exe
PID 3028 wrote to memory of 2516	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 2516	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 2516	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 2516	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 2644	3028	ogqqphkbkwqf.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2644	3028	ogqqphkbkwqf.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2644	3028	ogqqphkbkwqf.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2644	3028	ogqqphkbkwqf.exe	NOTEPAD.EXE
PID 3028 wrote to memory of 2412	3028	ogqqphkbkwqf.exe	iexplore.exe
PID 3028 wrote to memory of 2412	3028	ogqqphkbkwqf.exe	iexplore.exe
PID 3028 wrote to memory of 2412	3028	ogqqphkbkwqf.exe	iexplore.exe
PID 3028 wrote to memory of 2412	3028	ogqqphkbkwqf.exe	iexplore.exe
PID 2412 wrote to memory of 1512	2412	iexplore.exe	IEXPLORE.EXE
PID 2412 wrote to memory of 1512	2412	iexplore.exe	IEXPLORE.EXE
PID 2412 wrote to memory of 1512	2412	iexplore.exe	IEXPLORE.EXE
PID 2412 wrote to memory of 1512	2412	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 1484	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 1484	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 1484	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 1484	3028	ogqqphkbkwqf.exe	WMIC.exe
PID 3028 wrote to memory of 2388	3028	ogqqphkbkwqf.exe	cmd.exe
PID 3028 wrote to memory of 2388	3028	ogqqphkbkwqf.exe	cmd.exe
PID 3028 wrote to memory of 2388	3028	ogqqphkbkwqf.exe	cmd.exe
PID 3028 wrote to memory of 2388	3028	ogqqphkbkwqf.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ogqqphkbkwqf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ogqqphkbkwqf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ogqqphkbkwqf.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa44fbdee8fa7bb5daa2a4338652781c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\ogqqphkbkwqf.exe
  C:\Windows\ogqqphkbkwqf.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3028
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2644
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1512
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OGQQPH~1.EXE
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AA44FB~1.EXE
  2⤵
  - Deletes itself
  PID:2476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+qtwib.html

Filesize
12KB

MD5
7f6fc5ed8f9c8e428eac63b844914f4b

SHA1
6595dcd70d2aad71e590bc77202d13ce8063dc0c

SHA256
48f7061b1263f114ea08d957d36c51b5fc64f2d116d344a09e113dc8abb9758f

SHA512
a1dd2a17572768362310085f610b948e31993960b45e75b90a72eceb38ad59a28edf26f08877ca3b01a7752bc7be3a27f6ebe0cf994675d4eb64af1196b65c5e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+qtwib.png

Filesize
63KB

MD5
8121e43c310758db30adb47d00f10f31

SHA1
919ab1dd0319f66aea41cf2ce571ee0a2b90b50f

SHA256
7e155d36e18640f72adcabff3b0c7dca60f2bcc38dc8340de2c6eebd58e2390e

SHA512
192255c76d284c71483bf4b01986a7b51b918365d218778050de20e3893272f4d0909b9d207d0fd8dd48978fef08655d23173cd32aa7c12c0544b5c09817cbdb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+qtwib.txt

Filesize
1KB

MD5
a3c76e6ea52d89437f9c4a135401c9a8

SHA1
c8fccd7489ee3e12948e721adeb743a4ab2424f8

SHA256
98ec3ab0099bfc6e0ffda53f2fd699ed39fffce68fa90235f4e68436973d23d0

SHA512
9443bf757fe4b6ee200615ab9a001c80a67c98b5da8f8807aecc7f29b74fc43d68f0851890de5cc3d5e5910d3926b1d70f3d9b47faaeb2b5adda676f781aa884

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7835882a4a5989281b39aba6e51f51d4

SHA1
2301f5844961cfd3bfc2c6dcbb1bfc057118490e

SHA256
2d3f650a6699ba34c24c4b1d84f263ac2e240564148bbfb6cc0ba26fc72ddc82

SHA512
7f19830bfd60f89bd3e2e924d27bf14c4955f2f3615c082af91598d587ee014c3a5254b4505c2d57aea1cdee075d588bb2d7dcefa541207b2fbfb2ecb34ed3e4

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
67c6a77c9e7900f3dd6ef03a3067c394

SHA1
db674d3d935e61c3f8ce9d4baf99d8656cc9afa2

SHA256
2e975e4ed822970097057c1bd262c9e9015d272747346990d7eb31b316fc62e3

SHA512
f8a5108788ab19a2dac0ac40f98601813406042b78e766fc1321aebed751f4fe31a42883460e30265f29785b684667d92a5354a1dcbf9ef1e5fea1022eccd29f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
4fcb74015248f2aec59b70b5f087e961

SHA1
792b0300c911bed4334336e8bd35f4d83571105f

SHA256
2e08219d11e9a12df05e06e41ab191e2d3c0d4f80a4364471736f4a4586cdbc5

SHA512
30b9efff5212e0a2bf99c02e2be82a3495baea9be084eaceccd388d4f1946f11e3424758306edb58c806826c02404af9882bd7ff7f34735c837f83f38fd19267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e15cbd93191c8ca599373e9b693d705

SHA1
c0bda5a6242f16402ecb159a0b1b202dfc813d6e

SHA256
ecf9c4a8db55eabdd3a98f966728e0fe246f4e4de3eda6bbcced70974f0daab3

SHA512
a3cf662d6c0eb9ae3c0c754a0cc2c759b5a7ff3af5dbb0f8f77d29f6ecc0e3f84bb092626c45db0f70eb06588954c774e292e99296d9f8e8fcbe7a01916f89c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d399d5600c0fb9791331e5a8beb333c

SHA1
a6722df57b9c826acea4e5fcb3d90bd3151051cb

SHA256
144d9720deacf53f3b61631376cad7a0ec6e5c40936e097d633d3caba9454ebb

SHA512
327c02ce86b95f13d7099852b2bf6749e5db35c5fb81da0df0c1ad9175dd1cea4bd7226204ff600b9055e6eeb265a8070651965044efcd4d6f7455097a52329a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4038c4780aff5d552faf4517f69e3a9e

SHA1
82f683f2c9533b050b7c92d8055c99598c5a0174

SHA256
0612e1e5f5eaa02a4238d65f0f8de4c2273a91f70927237b8811b23ba0d5cb93

SHA512
ee43c147c2d6c004a45046aef1adfe1bf68dcdd49d4ada607040f2512a06cb8519bf592763a07059497f58be58e88ec5e60575b1fa51de5801c45ed87c160fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e484f06d081ebb80aedae5150576ac51

SHA1
b8e1ec3e1e0a96f1bb0e8cec344463a09b76cef4

SHA256
42b54d3e0115d375dddab89254278bca4330200c735656e97627c66a2d84d716

SHA512
d7624dbc182cff836ab28d9c4e6f9ed85e953904ef85100d590cf00f42f24b0d51a220a23173124808390be88f78052115d5a2580482bc9340ceaa495554d196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79271a40d1ef7b76064065edc05852da

SHA1
a98c3e00921678378b55b4e5a9b4c796c4c4ed61

SHA256
532f4be1daadb0654061257512d1f5ef7c6c5cc2ed1b8ee788e28a55a249e447

SHA512
407b0940d8c5b21e024615af839a7596e19b34f489a8f509d549dbcfe6ef74c1a96eb156e408fa269c01d81bc67705f3736737e8e10f201147e23cc10973e2ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f18f18f46897c778ab70e738bb73b369

SHA1
f2ebf689eabf62e25d5fb821e2067eec488d8e4a

SHA256
e0c625cf2e8f456a088c3466dea6396057e9b76041c14f54267f54389995986a

SHA512
da28187623ed518082c0dc67dd425d60030dfc84c9a9fade55fbfaa6c673c16a1cdbf45171322fecaeed997710d4268790b4ce0af172bf7d80490d771d939a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9f7b2a31485da8a1e09727d4fadfb7a

SHA1
efb72d3a17bfb57c9bfe57ecd30c2f480c3cbb73

SHA256
0e8854a18a261b81f2c17ca9b5904b8e938b138b1500546ad39257ba615687cf

SHA512
302bfec85619f5fd53b558bdeae9e40eb5eddc1ad68e7ee2c73ce74f9e41817ea70a2edf81ad8b97aa5e9a7d9598f6c7d93b3147f698881cc6a36c5183667c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d181a69385f115beec2fef170d21ea1b

SHA1
743b2579b7e57748da22365a1b732eff50c1c4df

SHA256
e8c66acc497bf3a034f9d02da9a40a340d7ff0c60455ce26cbaf0159dae9e31b

SHA512
618c297dd05d6d1f065de7ca6c2201f1d7a13eca2d2a6d9fa515305a2b3abe85ce384d51db2fe87acc90373ba70aa24228a5e4d7bf6c304cf10fd55d820e3830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32772f1cf2be254a3bb7a694077d7a4e

SHA1
fd5edcc9003658b5adf1b0447d77bd24a6c954d9

SHA256
8ac4cdc80b8c003b71da0aa3122bb6f4bfbfcf0ece2301acb6f7093e42b6f615

SHA512
238f3ec6e2964602c3400e81b78ee0be8e42c6c9046dcbe254da81279c9c1b09fa35aae9f39fd7c11a1b9c1441aa9da625188ecba079e3027599ad644b5676b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb7d750374a86ebbc13e97edbca040e1

SHA1
29c688471fcd1461d571f07aa8ccde8945a7a69a

SHA256
d0f85434289b7946551535be76dbd4c64abd3a4f211d4a56cebc859c903eded1

SHA512
8f7fa7c7d6041ce2727ce5cdba95cf191affdde9cf546ffa7d350e63c72d22ac625c35c39c230add2880326b9d1d96188f7269df0696ab1550eaa1bc41a8dda5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa4f8d205d8a00265daf095312b2fa80

SHA1
732b1badb1a85301e7bb172ef71b51c23d4f5d4e

SHA256
525a3674c839ff2d19ceee104fdccd8358a38a438cd36dee4e56e37dd9e1b53d

SHA512
b2ffc0bf0e21ace9a9e6330853e9529d6037322223e13655d2dfdb3c943898f45a504dc4a7eff2106f0454c8ce5b4e020bb96f251b44198f099117e445510eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e2ea0784edc70710ea28c2e47ca57e7

SHA1
f58a5aac7a80b3dd7396d78743367bd9a87baf3d

SHA256
b2f7a565372491d809ecb3f5a03dc18c5bc35b8e944c3170ee605802ad55f9ac

SHA512
225afdd1f93a3a741c091327037498f1fc5d4539f4b560acdf51e578224feb1ae38b72071c9e1d460e1eb7ee67714d6bdbe97b698ea96d6ccce4bf698e7a1dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cab72fc688d62ea0660fa347d9eb61f8

SHA1
1652fd9054194415ce0df6a63bae2dada1b094f9

SHA256
e42ca05ee7c6016750a5ce5fec3eff20f5bfcf9883c3488562b3e911d3da664a

SHA512
839c20461e262eddc1bf8fb9b61a7d27694dc1fdc1ba937e692c5fffffd6a6740877114033dfd5481a34f351af8561578b332bb19a5575378b48fd3945b7670f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73af8f93cd0bea086b8ed5312765ce1a

SHA1
288343bf2166ef6504ea556f142912d43efd4672

SHA256
713c1bebe5adc86f2f6a6ffcf3f0e242cdcae276bda2a6e1801067303cd4c85c

SHA512
566b1c72ef688d888dbe5e671f82e4dedf8f09948c796558b18cc8125ece361993e5907f0c05624ea277238dc2a7dae99e3690c7d3f46b36aa7a3321e28d2aca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf0595aea2f0287189ed6f69a2a25b2c

SHA1
145de5a782846a5e44d6f201f5f752376805898f

SHA256
f5e5daf2019191e87ca5f91be47f21333bf82a2bab3c8cc56a2491e42ba9268d

SHA512
fa14352286f39e461a41ff18174dbc63505d0d59e63410a61db3cbcbd40b8073fa7dfccf2484b2bde9b7eb124f366d1e91bf2e6ab00400edd741915f5fad7082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f9d685858de7dd62fe514812ee58056

SHA1
73d0b660142a236bbf2d9d2fb2090a16d059e066

SHA256
5c05e986d7eb3c623985fbb77ecbe6098dc931952caacd19ebe0d5184dbd3f0a

SHA512
fb6de9788ced34ae4c0e227b63265029065342bf1233cdc7886ab684314a5c66ec45d2d2393bd587d72aaed7714953e1904258c2162eae810295563383bfe6d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d3625845d6a8863d4e5ff044392c89b

SHA1
fdc1728f2dd7be6db11aa51a92ac7a3c19bb21ce

SHA256
9f1a54c3a15a48ad4ab07b511fb16e96296467a0481c761c3985251b151f6f52

SHA512
85e94dc0c33891f3ade2d3d4190d209454885f6519a22dcde1c02845b98bad86c19bc521ab8ef75671c7345f0b7a07e6caba3858c95020b707af5290380e9226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e4afd00b02754523ed1556cf7a401f4

SHA1
b7bd2f8ab2c1c96503f74911cea892365c4fe6cf

SHA256
15fdb5d152061273afc3626e77fcfd01a47d4cf5b040ef5651bb7a51eefbd2ad

SHA512
08818133acd4f204a6aa0047202af513638bec81825a970f6a463d125cc845be74021dacfbc8ebacf8a6206d71939a1010fcd5871825c1661e4d2394691247a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CDC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DCD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ogqqphkbkwqf.exe

Filesize
370KB

MD5
aa44fbdee8fa7bb5daa2a4338652781c

SHA1
863fd6a1e39c7b693e9a36808138911543f37ec7

SHA256
83fc7a43626bd2e0debf6a0ab1dc35d04c8b26fab084d314f1c6939f9ca8b9fc

SHA512
064435362aeee131b3f439b575977e5fa8cfa0ec48fd7baf0d88864b84f9df627384327d83e55fbe3db99b3619d146d0ef0cd106918d22ea30de9159b54f6287

Download Submit
memory/1452-6003-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2916-0-0x0000000000370000-0x000000000039F000-memory.dmp

Filesize
188KB

Download
memory/2916-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2916-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2916-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2916-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-5430-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-2369-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-6006-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-6002-0x0000000003260000-0x0000000003262000-memory.dmp

Filesize
8KB

Download